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1 INTRODUCTION 


This edition of the OneOS Book corresponds to the V4.3R4E21 and V5.1R3E1 software releases of 
OneOS. It is also available for all previous software releases of OneOS according to the features matrix 
described hereafter. 


The OneOS software developed for use with the ONE product range offers an extensive range of features 
designed to provide a complete & highly powerful range of multi-service access routers: 


e Full IP router with NAPT, Security, and Quality of Service management 

e Support of voice for analog and ISDN SO/TO terminals using Voice over IP and Voice over ATM 
e —_Interworking of data protocols (FR, X.25, PAD, XOT, X.31) 

e Advanced management tools based on CLI (Command Line Interface), SNMP, FTP/TFTP 


This document is the OneOS user guide for basic IP functions of the OneOS-based range products. 
Seven other user guides and two global indexes are available: 

o OneOS — Admin User Guide 

o OneOS - Bridging & LAN User Guide 

o OneOS — Advanced IP User Guide 

o OneOS — WAN User Guide 

o OneOS — VoIP User Guide 

o OneOS — VoATM & CES User Guide 

o OneOS — IBC User Guide 

o Index of OneOS User Guides (global table of contents) 

o Index of CLI of OneOS User Guides (global list of CLI commands) 
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1.1 FEATURE MATRIX 


The following table is a resource providing edition by edition the released features. The table was done as 
of the V3.5R2E3 software release. For simplification, the indicated software release shows the presence of 
a feature in a given software release starting with V3.5R2E3. It should be noted that most features were 
available in earlier versions. 


General IP 
enenone 


Static routing, setting of route administrative distance (static V3.5R2E3 
floating routes) 

Equal cost multi-path routing (flow-based load sharing per V3.5R2E3 
destination) 


Equal cost multi-path routing (flow-based load sharing per V4.2R5E6 
packet) 


Static ARP entries 


TCP MSS (Maximum Segment Size) Clamping on any V3.5R2E3 
interface 


Support of IP helper addresses V3.5R2E3 
Support of IP directed broadcast V3.5R2E3 
Access lists on directed broadcast V4.3R2E2 


Support of Ethernet jumbo frames (up to 1606 bytes) on V4.2R5E15 
ONE20D, ONE80XM, ONE100D/M (on Ethernet 1/0 and 
ATM interfaces) 


Virtual Routing and Forwarding (VRF) V4.3R2E2 
IP Tunnels Unnumbered tunnel IP V3.5R2E3 


GRE: tunnel key, checksum, datagram sequencing, path V3.5R2E3 
MTU discovery 


L2TP 

IP Accounting 
Accounting of ACL violations 

Access Control 
eer) 
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Present at least in: 


Context-Based Access Control (or Stateful Inspection) V3.5R2E3 
Reverse Path Forwarding Check (RPF) V3.5R2E3 
Configuration of ICMP unreachables V3.5R2E3 
Monitoring of fragments V3.5R2E3 
Rule-based logging V3.5R2E3 
Session auditing V3.5R2E3 
Rule sequencing and re-sequencing V3.5R2E3 
Limiting on half-open and open sessions V3.5R2E3 
Per-source-host session limiting and half-open session V3.5R2E3 





limiting, thresholds are configurable globally and per host 


Network Address| Static NAT/NAPT V3.5R2E3 
Translator (NAT) | Dynamic NAT/NAPT V3.5R2E3 


User list (ACL to determine packets being translated), also V3.5R2E3 
called selective NAT 


NAT ALG SIP deactivation 





V4.2R4E2 





Input processing: classification, marking, policing V3.5R2E3 
Output processing: classification, marking, policing, V3.5R2E3 
shaping, congestion avoidance 

Classification based on ACL, DSCP/precedence, RTP, input V3.5R2E3 
interface, combination of criteria from various class maps 

Nested policy-map (policy-map within a class of a policy- V3.5R2E3 
map) 


Policing: single rate traffic policer, two-rate traffic policer, V3.5R2E3 





color aware policer 


Policing bandwidth configured in absolute value or percent V3.5R2E3 


Shaping bandwidth configured in absolute value or percent V3.5R2E3 
of the layer-1 link bandwidth 
) 


Shaping: CBQ, CB-WFQ, Generic Traffic Shaping (GTS) on 
any interface when a QoS policy is configured, LLQ (Low 
Latency Queuing) for high priority frames 


Sharing remaining bandwidth in CBQ/CBWFQ shaping: V3.5R2E3 
based on class weights 

Sharing remaining bandwidth in CBQ/CBWFQ shaping: V4.2R4E2 
based on class priorities 

Class-based marking and/or marking per policing V3.5R2E3 
conformance classes 


Explicit Congestion Notification V3.5R2E3 
Virtual QoS group marking and matching V3.5R2E3 


Class-based Random Early Discard (RED) and Weighted V3.5R2E3 
RED (WRED), color-aware WRED 


Layer-2 marking: ATM CLP, FR DE V3.5R2E3 
Layer-2 QoS: CIR + priority V4.2R4E2 
Policy-Based | Matching packets based on class-maps V3.5R2E3 


Routing (PBR) | Bypass routing by setting: V3.5R2E3 


V3.5R2E3 





- Output interfaces 


- or next-hop IP address 


Support of multiple backup output interfaces/next-hop V3.5R2E3 
Local policy route map for local flow marking V3.5R2E3 
Layer-2 marking: CLP, DE V3.5R2E3 
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DHCP Server 
DHCP Client and | DHCP relay 
A 


AZR features: ARP ping, accounting, ARP table update via V3.6R4E5 
DHCP 


DHCP client: option 60/61/77, ignoring default route V4.2R3E6 
Secure association (option 43 


) 
Dynamic DNS _| Support of dyndns.org, No-IP and EuroDynDNS server V3.5R2E3 
server update 
(DynDNS) 





ONS Proxy 
VRRP 

V3.5R2E3 
advertisements are sent 
Support of a tracking interface (if the interface is down, the V3.5R2E3 
virtual router priority is decreased) 
Tracking list (if some routes are down, the virtual router V3.5R2E3 
priority is decreased) 

| _IRDP__—| ICMP Router Discovery Protocol (as router) =| V3.SR2ES 


Server Load Weighted load balancing on a server farm V3.5R2E3 


Balancing Monitoring of active servers and quarantine servers not V3.5R2E3 
responding 
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IPV4 ADDRESSING AND ROUTING 


This section describes the main features of the IPv4 stack and its configuration. For advanced features 
such as Access Control Lists (ACL), NAT, and QoS, please refer to the appropriate sections for detailed 
information. 





2.1 


are We 


ed 


2.1. 


IPV4 FEATURES 


The IPv4 stack implements the Internet Protocol (IP), Internet Control Message Protocol (ICMP), Internet 
Group Management Protocol (IGMP), Address Resolution Protocol (ARP), Transmission Control Protocol 
(TCP), User Datagram Protocol (UDP), and Routing Information Protocol (RIP), as well as a number of 
advanced features including Access Control Lists (ACL), Network address Translator (NAT), and 
Differentiated Services (DiffServ). The IPv4 stack has been implemented with optimal manageability and 
ease of configuration in mind. 


The implementation of the IPv4 stack conforms to the standards defined by different standards 
organizations such as the IETF. The main features of the IPv4 stack are outlined below. 


Note: in the following the notation IP will refer to the IPv4 stack. 
Variable Length Subnet Mask (VLSM) 


As defined in RFC 1878, VLSM enables set up of sub-networks by using a mask that differs from the Class 
A, B, C network mask. This feature can be useful in corporate networks for a flexible definition of corporate 
address space. 


Classless Inter-Domain Routing (CIDR) 


CIDR was introduced in mid 1990's to circumvent the problem of IP address exhaustion that was due to 
the rapid growth of the Internet. As defined in RFC 1519, when using CIDR, the address space of any 
traditional class (class A in particular) can be broken down into smaller address segments. This allows for 
more efficient use of the existing larger address spaces such as those found in Class A. 


The implication in using CIDR is that the routing infrastructure should allow for the use of an arbitrary (most 
often longer) mask instead of that derived from the class. 


IP Fast Forwarding 


To achieve high forwarding performance, IP fast-forwarding has been implemented to create a fast path for 
the most common IP packets except those, which require fragmentation or with specific options. It makes 
use of a route cache to accelerate routing table lookup and contains many other techniques to optimize 
fast forwarding processing. As a result, the overall forwarding performance is considerably improved. 
Advanced features such as QoS, ACL, and NAT are all implemented in fast path. 


Multiple Addresses per Interface 


Multiple addresses can be assigned to one network interface such that multiple logical networks can be 
supported on a single physical network. 
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2.1.5 Virtual Interfaces 


Virtual network interfaces are software interfaces that do not require a physical interface to run. Currently, 
virtual network interfaces include Loopback and Null interfaces. A Loopback interface loops all output 
packets back to IP. It can be used to virtually hold an IP address (not assigned to a physical port). The Null 
interface (much like the UNIX /dev/null device) discards all output packets and can be used to easily make 
routes unreachable (for example, to drop packets destined to 10.0.0.0/8, a user can add a route 10.0.0.0/8 
through the interface Null 0). 


2.1.6 Static Routes 


Most often in small networks, it is sufficient to use static routes, (i.e., user-configured routes). Static routes 
can work together with dynamic routes. They can overwrite or be overwritten by dynamic routes. Static 
routes are maintained separately so that they can be installed to or removed from the routing table when 
network conditions change. 


The use of routing protocols may not be the desired solution to update the routing table (activating routing 
protocols may cause network engineering challenges). The IP route tracking facility enables to force a 
static route to go down when an IP peer is no more reachable. This facility is a simple solution to 
reconfigure routing topology when an incident occurs in the network. This solution is well suited to trigger 
the activation of a backup route. 


2Ant Equal Cost Multi-Path Routing (ECMP) 


When several static routes have an equal metric but different destinations (or gateway/interfaces), ECMP 
is activated. Two modes are available depending on a global configuration parameter. 


Per destination (default mode): a hashing is made on the source/destination address to select the path. At 
first sight, the load sharing is loosely “source + destination” based load sharing. The reason for using 
‘loosely’ is: the route cache is checked before the ECMP processing. The route cache only contains a 
reference to outbound path and destination IP (not source IP). That means two flows with the same 
destination IP but different source will take the same path once the path is in route cache. 


Per packet: packets are sent over successive equal cost paths without regard to individual destination 
hosts or user sessions. That means two flows with the same destination IP might take different paths and 
might arrive out of order. 


2.1.8 Dynamic Routing 


Routing protocols such as RIP (Routing Information Protocol) can be used to exchange routing information 
among routers. Currently supported routing protocols are only suitable for use inside one administrative 
domain. Refer to the appropriate section for more information. 


2.1.9 Virtual Routing and Forwarding 


Virtual routing and forwarding or VRF allows a single router to use multiple routing tables. The main benefit 
is enhanced VPN support. Multiple customers can now be connected to a single device without address 
collisions, as they each have a separate routing table assigned to them. 


Network paths can be segmented without using multiple devices. Traffic is automatically segregated, i.e. 
prevented from being forwarded outside a specific VRF path, and traffic that should remain outside the 
VRF path is also kept out. As a result, VRF increases network security and may eliminate the need for 
encryption and authentication. 


Internet service providers often use VRF to create separate virtual private networks (VPN) for customers; 
therefore, the technology is also referred to as VPN routing and forwarding. VRF acts like a logical router, 
but while a logical router may include many routing tables, a VRF instance uses only a single routing table. 


VRF is an alternative to some router configurations using access lists to prevent access to router 
management from LAN/Internet and policy-based routing and to force Internet traffic to use legitimate 
paths. 


There is one routing table per VRF instance. A default VRF exists implicitly; all IP services and interfaces 
are active in this default VRF if references to VRF are not explicitly configured. 
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2.1.10 IP Packet Routing with Multiple VRF instances 


Before routing an incoming packet, OneOS must determine which routing table must be actually used. In 
fact, every IP interfaces is attached to a VRF (with default VRF if not explicitly configured). The router 
configuration defines the VRF of every LAN, VLAN, ATM PVC ... interface. The ingress interface defines 
the VRF Forwarding Information Base (FlB=routing table) to be used. The directly connected routes in a 
VRF FIB correspond to the interface networks attached to that VRF. Therefore, packets entering a VRF 
can only be routed to another interface, which is member of that VRF. This architecture allows interfaces 
and routing tables of different VRF instances to have overlapping networks. 


If packets are routed out on a LAN / VLAN interface, ARP is required to get next hop MAC address. ARP 
tables are also instantiated (one ARP table per VRF instance), because IP addresses are only unique 
within a VRF. 


2.1.11 Support of jumbo frames 


As of V4.2R5E15 software release on ONE20D, ONE80XM, ONE100D and ONE100M, Ethernet jumbo 
frames up to 1606 bytes are supported on the Ethernet 1/0 interface and on the ATM interfaces (IPoA, 
IPoA + bridge, PPPoA, PPPoEoA, ATM-AAL5, ATM-AAL5 + VLAN including Q-in-Q). This allows the 
routing of IP packets of up to 1580 bytes without being fragmented between Ethernet 1/0 and ATM. 


2.1.12 IP Packet Processing Path 


The following diagram on next page shows the sequence of processing that can be applied to packets 
routed by OneOS. This sequence is important, in that NAT or access lists can modify packets such that 
some processing becomes either inefficient or no more used. 


Note: the diagram is valid as of OneOS V3.2R2E21. In previous OneOS versions, the processing 
sequence was: NAT > ACL > Routing > NAT > ACL. 


Note: some processing functions could be not available depending on software releases and software 
licenses. 
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IP Services (ICMP/IGMP/TCP/UDP’...) 


IP Routing & Forwarding 
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2.2 IPV4 CONFIGURATION COMMANDS 


The parameter values given in the configuration commands are all informal. - Users should replace them 
with the appropriate values. 


2.2.1 VRF name 


Prior to be used, a VRF (if used) must be declared using the following command in global configuration 
mode. Use the no form to remove the VRF. 


CLI(configure)> [no] ip vrf <vrf-name> 
To associate an interface to a declared VRF, use the following command in interface configuration mode. 
Remember that all interfaces are, by default, associated to the default VRF. 


Note that this command erases the whole previous IP configuration of the interface (e.g. the IP 
address). 


CLI (configure)> interface <type> <unit> 

CLI (config-if)> ip vrf forwarding <vrf-name> 
To remove the interface from the declared VRF, use the following command in interface configuration 
mode. Note that the interface is now associated to the default VRF again. 


CLI(config-if)> no ip vrf forwarding 
2.2.2 IP Address 


To assign an IP address to an interface, use the following command in interface configuration mode): 
CLI (configure)> interface <type> <unit> 


CLI(config-if)> ip address <ip-address> [<netmask>] [secondary] 


The ip-address and netmask should be given in the common dotted format, i.e., 10.10.10.1 or 
255.255.0.0. If the netmask is not given, it will be derived from the class of the given addresses. If the 
keyword secondary is present, the given address will be appended to the interface address list. 
Otherwise the address replaces the first address in the list (if it exists). 


To delete an address, use the no form of the above-referenced command. To delete all IP addresses or 
mark the interface that should not have any IP address, use the following command: 


CLI(config-if)> no ip address 
2.2.3 IP Broadcast Address 


To change the IP broadcast address of an interface, use the following command in interface configuration 
mode: 


CLI (config-if)> ip broadcast-address <ip-address> 


The default broadcast address is the network address with host part set to all ones. To return to the default 
value, use the following command: 


CLI (config-if)> default ip broadcast-—address 


2.2.4 IP MTU 


To change the IP MTU value, use the following command in interface configuration mode: 


CLI (config-if)> ip mtu <bytes> 
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To return to the default MTU value, use the following command: 


CLI (config-if)> default ip mtu 
252i0 Enable IP Forwarding 


To enable IP forwarding, use the following command in global configuration mode: 
CLI(configure)> [no] ip routing 


By default, IP forwarding is enabled. To disable IP forwarding, use the no form of the above-referenced 
command. 


2.2.6 Static Routes 


To use the IP route tracking facility (see 2.1.6), a RTR probe must be defined and started. Then, a tracking 
object is attached to the RTR session with the following command (the tracking object represents a state of 
the RTR session). Then the tracking object is attached to an IP route. 


CLI(configure)> [no] track <obj-id> rtr <session-id> reachability 


To add a static route for any destination, use the following command in global configuration mode: 
CLI (configure)> [no] ip route [vrf <vrf-name>] <destination> <netmask> 

{ <gateway> | <interface> } 
[<distance>] 
[track <obj-id>] 

When no vrf-name Is given, the route is added in the default VRF. 

Either gateway (next hop) or interface (Such as atm 0.1) must be given in the command. 

The distance (from 1 to 255) is optional and used in multi-path routes (See below and 2.2.7). 


Use the optional obj-id to enable the IP route tracking facility. As soon as the last operation of the RTR 
session fails, the IP route is set down. Note: as of V4.3R2E2 software release, IP route tracking facility is 
only supported on the default VRF. 


The administrative distance Is the preference criterion to determine which routing protocol is entitled to 
install a route in case of conflict. Reminder of the default administrative distance: 


DHCP (learn) 


OSPF 





In addition to the distance parameter, the best route is selected by comparing a metric parameter. The 
metric is generally computed by the IGP/EGP routing protocol. Static routes and directly connected routes 
have a metric equal to zero. If two routes have the same distance and metric, hash-based load sharing 
applies. 


To add a default route through a gateway, use the following command: 
CLI(configure)> [no] ip route [vrf <name>] 0.0.0.0 0.0.0.0 <gateway> 
Static routes are maintained in a separate database until they are explicitly deleted by the user. Once a 


static route becomes usable, it is put into the IP routing table. Similarly when a static route becomes 
unusable due to a change in network interfaces, it is automatically removed from the routing table. 
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To delete a static route, use the no form of the above-referenced command. 
Zneat Multi-path Routes 


IP multi-path routes are meant multiple routes to the same destination. In the current implementation, IP 
multi-path routes are mainly used to provide backup routes to the primary route when the latter gets down. 
A router is required to make appropriate decision on which route should be selected to forward packets 
destined to a given destination. To configure multi-path routes, one can enter, for example, the following 
commands in global configuration mode: 


ip route 10.1.1.0 255.255.255.0 192.168.2.1 2 
ip route 10.1.1.0 255.255.255.0 192.168.3.3 10 


If the two routes are both eligible (outgoing interface is up), the route with the least metric is chosen, that 
is, the first route. If the outgoing interface of the first route goes down for any reason, the second route will 
be chosen. In practice, ISDN is commonly used as a backup interface. 


If the first route is up again, traffic will be redirected to that route. The link of the backup route could be 
shutdown upon idle timeout, for example, the case that the two routes are of the same metric, the first 
route in configuration order will be chosen. 


2.2.8 Flow based Load Sharing 


To set the load sharing mode, use the following command in global configuration mode: 


CLI(configure)> ip load-sharing [vrf <vrf-name>] { per-destination 
| per-packet } 


per-destination Is the default mode (default value). The vrf-name is optional. If not provided the 
default VRF is used. 


2.2.9 Static ARP Entry 


To set a static ARP entry for an IP address, use the following command in global configuration mode: 
CLI (configure)> arp [vrf <vrf-name>] <ip-address> <hardware-address> arpa 
The hardware address is specified in a common format, for example, 08:00:01:02:03:04. The vr f-name is 


optional. If not provided the default VRF is used .A route to the given IP address must exist in the routing 
table, or otherwise this command will fail. 


To delete an ARP entry, use the no form of the above-referenced command. 
2.2.10 ARP Timeout 


To change the ARP timeout value, use the following command in interface configuration mode: 


CLI(config-if)> arp timeout <seconds> 


The default value is 7200 seconds (120 minutes). To return to the default value, use the command: 


CLI (config-if)> default arp timeout 
2.2.11 Domain Name Server 


In the following vr£-name Is optional. If not provided the default VRF is used. 


To set the domain name, use the following command in global configuration mode: 


CLI(configure)> [no] ip domain-name <your-domain> [vrf <vrf-name>] 


To set the name server addresses (up to 3), use the following command: 


CLI(configure)> [no] ip name-server <dns-addressl> [<dns-address2>] 
[<dns-address3>] [vrf <vrf-name>] 


To delete the IP domain name or IP name server, use the no form of the above-referenced commands. 
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To define the duration (default is 150 seconds) to wait for the name server answer, use the following 
command: 


CLI (configure)> [no] ip name-server timeout { 4 | 12 | 18 | 42 | 90 
| 120 | default } [vrf <vrf-name>] 


To globally delete the name servers, to set all DNS-related parameters to their default values, and to 
remove all DNS commands from the running configuration, use the following command: 


CLI(configure)> no ip name-server [vrf <vrf-name>] 
2.2.12 Host Name/Address Binding 


Use the following command in global configuration mode to create a host name/address binding: 


CLI(configure)> [no] ip host <hostname> <ip-address> [vrf <vrf-name> 
The vrf-name Is optional. If not provided the default VRF is used. 
To delete a host name/address binding, use the no form of the above-referenced command. 


2.2.13 Enable IP Route Cache 


To enable IP route cache, use the following command in global configuration mode: 


CLI(configure)> [no] ip route-cache 


By default, IP route cache is enabled. To disable IP route cache, use the no form of the above-referenced 
command. 


2.2.14 Enable IP Source Routing 


To enable IP source routing, use the following command in global configuration mode: 


CLI(configure)> [no] ip source-route 


By default, IP source routing is enabled. To disable IP source routing, use the no form of the above- 
referenced command (in that case IP packets with source routing header options are silently discarded). 


2.2.15 ICMP Redirect 


To send ICMP redirect messages, use the following command in global configuration mode: 
CLI(configure)> [no] ip icmp redirect 


The default is to send ICMP redirect messages. To disable it, use the no form of the above-referenced 
command. 


2.2.16 ICMP Unreachable 


To enable the sending of ICMP unreachable messages, use the following command in interface 
configuration mode. To disable it, use the no form of the command. 


CLI(config-if)> [no] ip unreachables 
The default is to send ICMP unreachable messages; these messages are by default sent at the rate of one 


message every 500 milliseconds. To modify the rate, use the following command in global configuration 
mode. To reset the rate to its default value (500), use the default form of this command. 


CLI (configure)> ip icmp rate-limit unreachable [<1-4294967295>] 
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2.2.17 Virtual Interfaces 


Loopback interfaces can be created or deleted using configuration commands. LoopbackO is automatically 
created by the system and cannot be modified by user. To create a new Loopback interface, use the 
following command in global configuration mode: 


CLI(configure)> interface loopback <unit> 
The unit number should be any number between 1 and 99. This command, if successful, will enter into 


interface configuration mode. Then user can use the IP interface configuration commands to set the IP 
address or any other parameters. To delete a Loopback interface, use the command: 


CLI(configure)> no interface loopback <unit> 


The Null interface (interface null 0) is not configurable and is always present and up in the system. 
2.2.18 TCP connections supervision 


TCP connections supervision parameters are globally defined and apply to all VRF. 


TCP connections (network connections) are supervised by OneOS at establishment of the connections as 
well as all through the connections to detect idle conditions. 


At network connection establishment OneOS sends a SYN packet and by default waits the answer for 
6 seconds. If no answer is received, OneOS resends a SYN packet and waits the answer for 2 times 
6 seconds; and so on by default 3 times doubling the period of time each attempt. This allows a networks 
connection to be established by default within 90 seconds (6+12+24+48). 


To modify the initial values of timeout (default 6 seconds) and number of retries (default 3) use the 
following commands in global configuration mode: 


CLI(configure)> ip tep syn initial-timeout <2-64 even> 
CLI (configure)> ip tcp syn retries <1-10> 


To restore the default values use the following commands: 


CLI(configure)> default ip tcp syn initial-timeout 
CLI(configure)> default ip tcp syn retries 


All through the network connection when no packet is sent or receive for 75 seconds (default value), 
OneOS sends an ACK packet and by default waits the answer for another 75 seconds. If no answer is 
received after 8 attempts (default value) the TCP connection is released. 


To modify the timeout and the number of retries values use the following commands in global configuration 
mode: 


CLI(configure)> ip tcp keepalive timeout <1-3600> 
CLI(configure)> ip tcp keepalive retries <0-20> 


To restore the default values use the following commands: 


CLI(configure)> default ip tcp keepalive timeout 


CLI(configure)> default ip tcp keepalive retries 


2.2.19 TCP MSS Adjustment 


TCP MSS Adjustment parameters are globally defined and apply to all VRF. 


It is common that network interface of any type supports MTU (Maximum Transmission Unit) larger than or 
equal to 1500 bytes, the MTU value used in LANs. However it is more and more often the case that some 
interfaces such as PPPoE and VLAN have a MTU less than 1500 bytes. In general, with IP Path MTU 
discovery, end hosts will adapt TCP MSS (Maximum Segment Size) to meet the smallest MTU along the 
path. A problem is that the PMTU discovery makes use of ICMP error messages to report the MTU to use 
and a lot of organizations have a firewall to filter out such messages. As a result, the source continues to 
send 1500 byte packets with the DF bit set (Don't Fragment, used along with PMTU) in the IP header, and 
these packets are all dropped by the router. 
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To overcome this problem, TCP MSS adjustment can be used to change TCP MSS value in TCP SYN 
packets such that subsequent TCP packets will not exceed the MTU of the interface in question. To apply 
TCP MSS adjustment, use the following command in interface configuration mode: 


CLI(config-if)> [no] ip tcp adjust-mss { <bytes> | auto } 
The maximum value allowed is the interface MTU minus the minimum TCP/IP header size, 40 bytes. For 
example, for PPPoE interface, one could use the value 1452. 
Use auto to automatically adjust TCP MSS to the MTU of the interface (default behavior). 


To disable TCP MSS adjustment, use the no form of the above-referenced command. 
2.2.20 IP Helper Address 


Helper addresses is a feature that permits to forward broadcast packets received from an interface to a 
named server address. For example, DHCP packets received on interface Ethernet are altered so that the 
new destination address is the address of the declared server address; then packets are routed to the 
server address. 


To declare a server address on an interface, so that all received broadcast packets are redirected to that 
server, use the following command in interface configuration mode: 


CLI (config-if)> ip helper-address <A.B.C.D> 
It is possible to configure several server addresses so that packets are redirected to both server 
addresses. 


Forwarded packets are only UDP packets and by default only for the following ports: 


= Si Time protocol 

- 42; Host Name Server / WINS 

=. 49; TACKCS”= Logan. Host Protocol 

= ays Domain Name Service (DNS) 

a 3G BOOTP Server — Bootstrap Protocol Server / DHCP 
= 66's BOOTP Client - Bootstrap Protocol Client / DHCP 
= 69% TFTP - Trivial File Transfer Protocol 


—- 137: NETBIOS Name Service 
- 138: NETBIOS Datagram Service 
To disable a server address, use the no form of the command: 


CLI (config-if)> no ip helper-address <A.B.C.D> 


To add a specific protocol to be forwarded, use the following command in configuration mode: 


CLI (configure)> ip forward-protocol udp <1-65535> 


To remove a specific protocol to be forwarded, use the no form of the command: 


CLI(configure)> no ip forward-protocol udp <1-65535> 
2.2.21 IP Directed Broadcast 


When enabled on an interface, directed broadcast allows incoming unicast IP packets (whose address 
defines them as directed broadcast) destined for an interface's subnet to be broadcasted on that subnet. 


As of V4.3R2E2 software release and for security reasons, directed broadcast is disabled by default and 
when enabled, an access list can be attached to filter directed broadcast packets. In previous software 
releases directed broadcast is enabled by default and no access list can be attached. 


To enable directed broadcast on an interface, use the following command in interface configuration mode: 


CLI (config-if)> ip directed-broadcast [<acl-name>] 


To disable directed broadcast, use the following command in interface configuration mode: 


CLI(config-if)> no ip directed-—broadcast 
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2.2.22 ARP Proxy 


Certain stations are not able to support CIDR subnets, which do not fall in standard class A/B/C network 
ranges. In the event, the LAN subnet (e.g. 255.255.255.248) is smaller than the network configured on the 
workstation (e.g. 255.255.255.0), the station sends ARP requests on the LAN for IP addresses outside the 
subnet. Without ARP proxy, no equipment should respond. 


The ARP proxy function catches the ARP request destined to IP addresses outside the subnet and spoofs 
the answer as if the router was the actual workstation. Then the workstation sends packets with the router 
MAC address as destination. 


ARP proxy is disabled by default. To enable the ARP proxy (from interface configuration mode): 


CLI (config-if)> ip proxy-arp 


To disable ARP proxy: 


CLI(config-if)> no ip proxy-arp 


2.2.23 Shutting Down an Interface 


To shutdown an interface (no longer able to receive and send packets), use the following command in 
interface configuration mode: 


CLI (config-if)> [no] shutdown 


To restart the interface, use the no form of the above-referenced command. 


If an interface is shutdown, the address or addresses assigned to that interface will be unreachable, that 
means, if one pings one of the interface addresses, it will not work. 


2.2.24 IP LED management 


The IP LED shows the status of the IP interfaces (refer to the "Installation Manual" of your OneOS-based 
Router for a complete description of the IP LED). 


By default, all IP interfaces are taken into account for the status of the IP LED. Use the following command 
in global configuration mode to make the status of the designated IP interface to be not taken into account 
for the status of the IP LED (this command can be entered many times for different IP interfaces): 


CLI(configure)> no ip led track-interface <interface-type> <unit> 


To take again into account the IP interface status, use: 


CLI(configure)> ip led track-interface <interface-type> <unit> 
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2. 
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IPV4 CONFIGURATION EXAMPLE 


The following configuration example of a small network illustrates a connection to the Internet via a DSL 
line. Only static routes are used in this example. 
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At Router A, a PVC to the router 50.0.0.3 is set up for an Internet connection. On that connection, IP NAT 
is configured to use interface address overloading (address/port translation). One static route 192.168.3.0 
is configured to interconnect another private network. Two static routes are configured to avoid sending 
packets destined to private addresses to the Internet (dropped by Null 0). One default route is set up 


through 50.0.0.3, which is generally a router operated by the service provider. 


interface Ethernet 0/0 

ip address 192.168.2.1 255.255.255.0 
exit 
interface FastEthernet 0/0 

ip address 192.168.1.1 255.255.255.0 
exit 
interface Atm 0.1 

pvc ipoa vpi O vci 32 

ip address 50.0.0.4 255.255.255.0 


execute 

exit 

ip nat inside overload 

exit 

ip route 192.168.3.0 255.255.255.0 192.168.1.2 
ip route 10.0.0.0 255.0.0.0 Null O 

ip route 172.16.0.0 255.240.0.0 Null O 

ip route 192.168.0.0 255.255.0.0 Null O 

ip route 0.0.0.0 0.0.0.0 50.0.0.3 


The configuration of Router B: 


interface Ethernet 0/0 

ip address 192.168.3.1 255.255.255.0 
exit 
interface FastEthernet 0/0 

ip address 192.168.1.2 255.255.255.0 
exit 
ip route 0.0.0.0 0.0.0.0 192.168.1.1 
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2.4 IPV4 STATISTICS 


Use the following commands to display the ARP table and statistics: 


CLI> show arp 

Protocol address Hardware address Age (min) Interface Type 
20.1.1.44 00:80:c8:c9:a6:85 19 FastEthernet 0/0 ARPA 
192-168.2:7 00:00:3b:80<1livca: 2 Ethernet 0/70 ARPA 
192.168.2.11 00:00:92:a7:d0:ec 19 Ethernet 0/0 ARPA 

CLI> show arp statistics 

ARP statistics: 

IN: 512 requests, 4 replies, O discards 

O packets in queue, 0 queue drops 

OUT: 5 requests, O replies 


6 local resolution attempts (0 failures) 
prune timer 60 sec, hold timer 1200 sec, keep-down timer 20 sec 
retransmission timer 1 sec, max tries 5 


Use the following command to display the interface table (if an interface name is specified only the 
parameters of that interface are displayed): 


CLI> show interfaces 
Loopback 0 is up, line protocol is up 
Flags: (0x80e9) LOOPBACK MULTICAST, interface index is 9902 
MTU 32768 bytes 
Up-time 2d0h7m, status change count 0 
Internet address is 127.0.0.1/32 
Line speed unknown 
Mean IP input/output rate 0/0 bits/s, 0/0 packets/s (over the last 4s) 
Output queuing strategy: fifo, output queue length/depth 0/126 


IN: 0O packets, O bytes, O queue drops 
QO broadcasts, O multicasts, O errors, O discards 
O unknown protocols 

OUT: O packets, O bytes, O queue drops 


QO broadcasts, O multicasts, O errors, O discards 
Null O is up, line protocol is up 
Flags: (0x80e1) MULTICAST, interface index is 9901 
MTU 32768 bytes 
Up-time 2d0h7m, status change count 0 
Line speed unknown 
Mean IP input/output rate 0/0 bits/s, 0/0 packets/s (over the last 4s) 
Output queuing strategy: fifo, output queue length/depth 0/126 


IN: 0O packets, O bytes, O queue drops 
QO broadcasts, O multicasts, O errors, O discards 
O unknown protocols 

OUT: O packets, O bytes, O queue drops 


QO broadcasts, O multicasts, O errors, O discards 
FastEthernet 0/0 is up, line protocol is up 
Flags: (0x8063) BROADCAST MULTICAST ARP, interface index is 101 
Encapsulation: Ethernet v2, MTU 1500 bytes 
Up-time 00:06:41, status change count 3 
Hardware address is 00:12:ef:40:e2:76, ARP timeout 7200 sec 
Internet address is 192.168.1.10/24, broadcast address is 192.168.1.255 
Auto-negotiation, full-duplex 
Line speed 100000 kbps 
Mean IP input/output rate 0/3832 bits/s, 0/0 packets/s (over last 4s) 
Output queuing strategy: fifo, output queue length/depth 0/126 
Reliability: 255/255 
IN: 3453 packets, 227732 bytes, O queue drops 
263 broadcasts, O multicasts, O errors, O discards 
O unknown protocols 
OUT: 6319 packets, 8093202 bytes, O queue drops 
2 broadcasts, O multicasts, 0O errors, O discards 
GigabitEthernet 0/0 is up, line protocol is down 
Flags: (0x8021) MULTICAST ARP, interface index is 18176 
Promiscuous mode active 
Encapsulation: Ethernet v2, MTU 1500 bytes 
Down-time 00:02:26, status change count 0 
Hardware address is 00:12:ef:60:33:af, ARP timeout 7200 sec 
Line speed unknown 
Mean IP input/output rate 0/0 bits/s, 0/0 packets/s (over the last 4s) 
Bridged to group 1 
Output queuing strategy: fifo, output queue length/depth 0/126 
Reliability: 255/255 
IN: 0O packets, O bytes, O queue drops 
0 broadcasts, O multicasts, O errors, O discards 
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O unknown protocols 
OUT: O packets, O bytes, O queue drops 
OQ broadcasts, O multicasts, O errors, 1 discards 
GigabitEthernet 1/0 is up, line protocol is down 
Flags: (0x8021) MULTICAST ARP, interface index is 22272 
Promiscuous mode active 
Encapsulation: Ethernet v2, MTU 1500 bytes 
Down-time 00:02:54, status change count 0 
Hardware address is 00:12:ef:70:33:af, ARP timeout 7200 sec 
Auto-negotiation, duplex unknown 
Line speed 1000000 kbps 
Mean IP input/output rate 0/0 bits/s, 0/0 packets/s (over the last 4s) 
Bridged to group 1 
Output queuing strategy: fifo, output queue length/depth 0/126 
Reliability: 255/255 
IN: O packets, O bytes, O queue drops 
broadcasts, O multicasts, O errors, O discards 
unknown protocols 
packets, O bytes, O queue drops 
broadcasts, O multicasts, O errors, O discards 
Atm 0.2 is up, line protocol is up 
Flags: (0x80e1) MULTICAST, interface index is 30301 
Encapsulation: IP-over-Atm, MTU 1500 bytes 
Up-time 23:58:16, status change count 3 
Line speed 159 kbps 
Mean IP input/output rate 0/0 bits/s, 0/0 packets/s (over the last 4s) 
Bridged to group 10 
Output queuing strategy: fifo, output queue length/depth 0/126 
Reliability: 255/255 
IN: 26101 packets, 8252415 bytes, O queue drops 
QO broadcasts, O multicasts, O errors, O discards 
O unknown protocols 
OUT: 23906 packets, 2470266 bytes, O queue drops 
774 broadcasts, 5080 multicasts, 0 errors, O discards 


OUT: 


oOo O0O O° 


To display the operational status of an optical interface, use the next command: 


CLI> show interfaces { fastethernet | gigabitethernet } 1/0 transceiver 
Port = 1/0 

Diagnostics calibration is external 

Temperature = SOe.3 "CE 

Voltage =. (ig. Oe Ve 

Current = 9.25 mA 

Optical Tx Power = 9 be aBm 

Optical Rx Power = =39.23° dBm 


Use the following command to display IP configuration parameters associated with an interface (if an 
interface name is given only the parameters of that interface are displayed): 


CLI> show ip interface 
Loopback 0 is up [0x2] 
Internet address is 127.0.0.1 
MTU: ts 32768, metric 1s. 0 
Inbound access list not set 
Outgoing access list not set 
No Crypto map is applied 
ICMP redirects are always sent 
ICMP unreachables are always sent 
ICMP mask replies are never sent 
Network address translation is disabled 
Input service policy not set 
Output service policy not set 
Reverse Path Forwarding disabled 
TCP MSS adjust is auto -—- (value : 32728 bytes) 
Policy route map not set 
Protocol Independant Multicast is disabled 
Helper address is not set 
Proxy ARP is disabled 
Directed broadcast forwarding is disabled 
Null 0. is: up: [0x2] 
MTU is 32768, metric is 0 
Inbound access list not set 
Outgoing access list not set 
No Crypto map is applied 
ICMP redirects are always sent 
ICMP unreachables are always sent 
ICMP mask replies are never sent 
Network address translation is disabled 
Input service policy not set 
Output service policy not set 
Reverse Path Forwarding disabled 
TCP MSS adjust is auto -- (value : 32728 bytes) 
Policy route map not set 
Protocol Independant Multicast is disabled 
Helper address is not set 
Proxy ARP is disabled 
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Directed broadcast forwarding is disabled 
FastEthernet 0/0 is up [0x2] 

Internet address is 192.168.1.10, broadcast address is 192.168.1.255 

MTU iss: 1500. met rive as. 0 

Inbound access list not set 

Outgoing access list not set 

No Crypto map is applied 

ICMP redirects are always sent 

ICMP unreachables are always sent 

ICMP mask replies are never sent 

Network address translation is disabled 

Input service policy not set 

Output service policy not set 

Reverse Path Forwarding disabled 

TCP MSS adjust is auto -—- (value : 1460 bytes) 

Policy route map not set 

Protocol Independant Multicast is disabled 

Helper address is not set 

Proxy ARP is disabled 

Directed broadcast forwarding is disabled 
GigabitEthernet 1/0 is up [0x6] 

MIU: ss. "25005. MEErie As: 

Inbound access list not set 

Outgoing access list not set 

No Crypto map is applied 

ICMP redirects are always sent 

ICMP unreachables are always sent 

ICMP mask replies are never sent 

Network address translation is disabled 

Input service policy not set 

Output service policy not set 

Reverse Path Forwarding disabled 

TCP MSS adjust is auto —- (value : 1460 bytes) 

Policy route map not set 

Protocol Independant Multicast is disabled 

Helper address is not set 

Proxy ARP is disabled 

Directed broadcast forwarding is disabledAtm 0.1 is up 


To display the IP status of all interfaces, use the next command: 


CLI> show ip interface brief [<interface-type> <unit>] 


Interface IP-Address OK? Status ProLocol 
Loopback 0 eet OLD gel YES up up 

Null 0 <unassigned> YES up up 
GigabitEthernet 1/0 LOZ LGB 2 1 YES up down 

efm 0 LOZ SLO. 1022 YES up down 
FastEthernet 0/0 LOA 68a 10 YES up down 
FastEthernet 0/1 <unassigned> YES up down 
FastEthernet 0/2 <unassigned> YES up down 
FastEthernet 0/3 <unassigned> YES. up down 


To display the interfaces associated to a VRF, use the next command: 
CLI> show ip vrf interfaces 


Interfaces VRF Name 
Loopback 39 WEESY 


To display the status of all the VRF, use the next command: 


CLI> show ip vrf brief 


VRF Name VRF Id Interfaces 
vrf£39 1 Loopback 39 
vrf40 2 


Use the following command to display the routing table: 


CLI> show ip route [vrf <vrf-name>] 
Codes: C connected, S static, R RIP, O OSPF, B eBGP, b iBGP, o other 


I OSPF intra area, IA OSPF inter area, E1/E2 OSPF external type 1/2 


default via 50.0.0.3, Atm 0.1 

20.1.1.0/24 is directly connected, FastEthernet 0/0 
50.0.0.0/24 is directly connected, Atm 0.1 
127.0.0.1/32 is directly connected, Loopback 0 
1:92.168%2.0/24 is directly connected, Ethernet. 0/0 


QagaaRAaAaAN 


Note that when debug ip routing is in force, the routes learnt via ARP are also displayed under the 
link (1) code. The recursive index (route included in another) is also displayed between parentheses. 


CLI> show ip route [vrf <vrf-name>] 
Codes: C connected, S static, R RIP, O OSPF, B eBGP, b iBGP, o other 


I OSPF intra area, IA OSPF inter area, E1/E2 OSPF external type 1/2 
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default via 50.0<50s3, Atm 0.) (0) 

20.1.1.0/24 is directly connected, FastEthernet 0/0 (0) 
20, 1.1.1732 ts directly connected, FastEthernet. 070. (1) 
50.0.0.0/24 is directly connected, Atm 0.1 (0) 
127.0.0.1/32 is directly connected, Loopback 0 (0) 
192.168.2.0/24 is directly connected, Ethernet 0/0 (0) 


QAAAFAN 


Use the following command to display the DNS servers' addresses and the method used to get them: 


CLI> show ip name-server [vrf <vrf-name>] 


CLI> show ip name-server 

DNS Resolver settings for VRF default 
Manual Resolver 

Domain-name: OADNSINFO.fr 
Name-server timeout: 18 seconds 
Name-servers: 

192) 5b63:.30).4 

LOZ STOO Ue 

LO? LOB. 5 OS 

CLI> show ip name-server vrf red 
DNS Resolver settings for VRF red 
Learnt Resolver 

Domain-name: DHCPDNSINFO.fr 
Name-server timeout: 150 seconds 
Name-servers: 

LO 2 e681 

192163412 

LOA LOS 3 


Use the following command to display the IP route tracking facility statistics: 


CLI> show track [<obj-id] 

Track #1 

rtr 1, state: down 

2 Change (s),. Last. change: 2000.02. 01..00T6%30: +00; 00. UTC 
Latest operation return code: tmo 

Latest RIT (millisecs): 2 

Tracked by: unk 


Use the following command to display the host table: 


CLI> show hosts [vrf <vrf-name>] 


Host Address Aliases 
localhost 127.0.0.1 
ftpserver LOZ ol OS «dee 


Use the following command to display the fast forwarding route cache: 


CLI> show ip cache [vrf <vrf-name>] 


Destination Next Hop Link Info Interface 
LO es LOe Ole LO <0 ohO eZ Ox02b8c6e0 Bvi 2 

LO LO. Oy Aa LO ooh Gos dOny al Ox02b8bc10 Bvi 2 
200.1520. 204 Z00G1 Se Os 2o4 Oxabadcafe Atm 0.40 


Use the following command to display IP statistics: 


CLI> show ip statistics 

IP statistics: 

IN: 401611 total, 1348 local destination (0/0 queue lentgh/drops) 

O too short, O bad header length, 0 bad total length 

0 bad version, O bad checksum, O can't forward 

2 unknown protocol, O discards 

O fragments, O packets reassembled, O fragments dropped, O timeouts 
OUT: 400238 forwarded, 1146 local source 

0 no: rouce,. (0: no butter, -3 -drscards 

O packets fragmented, O can't fragment, O fragments created 


Use the following command to display ICMP statistics: 


CLI> show icmp statistics 

ICMP statistics: 

IN: O format errors, O checksum errors 

QO redirects, 2 unreachable, 25 echo, O echo reply 

O mask requests, O mask replies, O quench 

O parameter problem, 0 timestamp, O info request, O other 

OUT: O redirects, 23 unreachable, 0 echo, 25 echo reply 

O mask requests, O mask replies, O quench 

O parameter problem, O timestamp, O info reply, O time exceeded 


Use the following command to display TCP statistics: 


CLI> show tcp statistics 
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TCP statrstacs: 

IN? 1J181 total 

0 checksum error, O bad offset, O too short 

673 packets (2220 bytes) in sequence 

O dup packets (0 bytes) 

partially dup packets (0 bytes) 

out-of-order packets (0 bytes) 

packets (0 bytes) with data after window 

packets after close 

window probe packets, 0O window update packets 

5 dup ack packets, 0 ack packets with unsend data 

644 ack packets (49357 bytes) 

OUT: 1183 total, O urgent packets 

6 control packets 

638 data packets (49350 bytes) 

QO data packets (0 bytes) retransmitted 

539 ack only packets (2 delayed) 

O window probe packets, O window update packets 

connections established (including 2 initiated, 4 accepted) 
connections closed (including 0 dropped, 0 embryonic dropped) 
total rxmt timeout, O connections dropped in rxmt timeout 
keepalive timeout, O keepalive probe, O connections dropped in keepalive 


OOO UO 


oOON4 Dd 


Use the following command to display UDP statistics: 


CLI> show udp statistics 

UDP statistics: 

IN: 232 total, O no port (unicasts), 232 no port (broadcasts), 
O buffer-full drops 

O checksum error, O bad length, 0 too short 

OUT: 4 total 


Use the following command to display IGMP statistics: 


CLI> show igmp statistics 

IGMP statistics: 

IN: 0 total, OO too short, 0 checksum errors 

O queries, O bad queries 

QO reports, O bad reports, OQ reports for local groups 
OUT: O reports 

Locally joined multicast groups: 

224.0.0.1/Ethernet 0/0 


22 Ace Oe MPR OD eal: 
224.0.0.1/Loopback 0 
224.0.0.1/FastEthernet 0/0 


Use the following command to display all TCP/IP stack statistics: 


CLI> show ip traffic 


To display information about TCP sockets running on the router, use the command: 


CLI> show tcp sessions 


To display information about UDP sockets running on the router, use the command: 


CLI> show udp sessions 


To clear interface input/output counters, use the command (if interface is not given, all counters are reset): 


CLI> clear counters [<interface-type> <unit>/<port>] 


To clear IP counters, use the command: 


CLI> clear ip counters 


To clear TCP counters, use the command: 


CLI> clear tcp counters 


To clear UDP counters, use the command: 


CLI> clear udp counters 


To clear ARP cache, use the command: 


CLI> clear arp-cache [vrf <vrf-name>] 
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To clear IP route cache, use the command: 


CLI> clear ip cache [vrf <vrf-name>] 


To clear a host from the host table, use the command: 


CLI> clear host <host-name> [vrf <vrf-name>] 
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2.5 IPV4 DEBUG AND TRACE 


The following commands enable detailed traces for debugging IP modules. To enable IP routing 
debugging, use the following command in global mode: 


CLI> [no] debug ip routing 


To enable IP route cache debugging, use the following command in global mode: 


CLI> [no] debug ip cache 


To enable IP interface debugging, use the following command in global mode: 


CLI> [no] debug ip interface 


To enable Address Resolution protocol debugging, use the following command in global mode: 


CLI> [no] debug arp 


To disable the debugging of a protocol or module, use the no form of the corresponding command. 
To display the current debugging modules, use the command: 
CLI> show debug 
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3 TUNNELING ENCAPSULATION PROTOCOLS 


This section describes encapsulation protocols. 





3.1 TUNNELING FEATURES 


3stst GRE Encapsulation Protocol 


GRE is a technique that enables to encapsulate packets using a GRE encapsulation header. A GRE 
header has a variable-length header, depending of the options the header supports. 


a Payload (IP packet) 


GRE header 


a 


C, K and S are optional flags, meaning that respective fields are present on the header: checksum, key 
and sequence number fields. 








Emitted packets are sent with a GRE header of at least 4-byte, while all flags are managed when receiving 
GRE packets. 


3.1.2 IP over IP Encapsulation Protocol 


An IP header is added with the assigned destination and source address required by the tunnel 
configuration. 


3.1.3 Path MTU Discovery (PMTUD) 


As defined in RFC 1191, PMTU prevents the fragmentation of IP packets along the path from the source to 
the destination. If fragmentation occurs along the path, it can considerably degrade the performance of 
TCP, particularly in the case of network congestion. 


When using tunnels, destination address of the tunnel can be routed through many routers until reaching 
the endpoint. PMTUD was developed to avoid fragmentation in the path between the endpoints. It 
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determines dynamically the lowest MTU along the path from the packet source to its destination and 
applies the MTU to the tunnel interface MTU. 


3.1.4 IP Unnumbered 


This feature helps a tunnel interface to be considered as a routable interface, because it borrows the IP 
address of a specified interface. Both interfaces share the same address. There are two advantages in 
using unnumbered interfaces: 


1. Some IP addresses are saved: if a lot of devices need to be installed on a sub-network with a limited 
pool of addresses. 


2. Routes learned through the IP unnumbered interface use the interface as next hop instead of the 
source address of the routing update. Thus, problems with invalid next hop address are avoided 
because the source of the routing update coming from a next hop is not directly connected. That is 
why only point-to-point interfaces can be unnumbered interfaces. 
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3.2 TUNNELING CONFIGURATION COMMANDS 


Note: as of V4.3R2E2 software release, tunnel interfaces are only supported on the default VRF. 


Tunnel interfaces can be created or deleted using configuration commands. To create a new tunnel 
interface, use the following command in global configuration mode: 


CLI(configure)> interface tunnel <unit> 


CLi(Coniig=-i1.2) > 


The unit number should be any number greater than 0. This command, if successful, will enter into 
interface configuration mode. Then user can use the IP interface configuration commands to set the IP 
address or any other parameters. To delete a Tunnel interface, use the command: 


CLI(configure)> no interface tunnel <unit> 
3.2.1 Setting the IP Interface 


Setting the IP interface determines the source IP address of a packet emitted by the router on a tunnel 
interface. 


3.2.1.1 Unnumbered Interface 


To configure tunnel interface as unnumbered and permit IP routing on this interface, use the following 
command in tunnel interface configuration mode: 


CLI (config-if)> ip unnumbered <interface-type> <unit> 
To unset tunnel interface as unnumbered, use the following command in tunnel interface configuration 
mode: 


CLI (config-if)> no ip unnumbered 


3.2.1.2 IP Interface Address 


To configure the IP address of a tunnel, use the next command: 


CLI (config-if)> ip address <ip> <mask> 
32:2 Setting tunnel source/destination 


To configure tunnel source and/or destination address, use the following command in tunnel interface 
configuration mode: 


CLI (config-if)> tunnel source { <A.B.C.D> | <type> <unit> } 
CLI (config-if)> tunnel destination { <A.B.C.D> | <Hostname> | passive } 


When using the passive keyword, it is assumed that the router is a kind of "GRE server" and it does not 
know the IP address of the GRE peer in advance. The peer IP address will be learnt when the remote peer 
will connect the GRE tunnel for the first time. This feature is useful when a central site router has a static 
IP address whereas branch-office (GRE client) routers have dynamic IP addresses, |.e. IP addresses that 
are not known a-priori. 


To remove the tunnel source and/or destination address from the configuration, use the no form of the 
above command. 


CLI (config-if)> no tunnel source 


CLI (config-if)> no tunnel destination 
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31223 


3.2.4 


3.2.5 


Setting tunnel encapsulation mode 


To configure tunnel encapsulation mode for all routed packets, use the following command in tunnel 
interface configuration mode: 


CLI (config-if)> tunnel mode { ipip | gre | mobileip } 


To come back to default GRE configuration mode, use the no form of the above command. 


CLI (config-if)> no tunnel mode 
Setting RFC 1701 options 


When enabling GRE, the default behavior is to follow the RFC 2784 standard. This RFC is actually a 
simplified version of RFC 1701, where some options have been chosen as no more configurable. In this 
paragraph, the following commands enable some features specific to RFC 1701. 


To enable the checksum on a GRE interface, use the following command in interface configuration mode: 


CLI (config-if)> tunnel checksum 
CLI (config-if)> no tunnel checksum 
When configured incoming packets must have a checksum inside the header. Otherwise, packets are 


dropped. 


To configure a key identifier on a GRE interface, use the following command in interface configuration 
mode: 


CLI (config-if)> tunnel key <0-4294967295> 

CLI (config-if)> no tunnel key 
When the tunnel key is configured, incoming packets that have not a key identifier, or that have a wrong 
key identifier are systematically dropped. 


To allow datagram sequencing on a GRE interface, use the following command in interface configuration 
mode: 


CLI (config-if)> tunnel sequence-datagrams 
CLI (config-if)> no tunnel sequence-datagrams 


Outgoing GRE packets have their sequencing counter incremented. A received packet is not dropped as 
long as it falls within the reception window (128 packets). The reception window is set between the highest 
sequence number of all currently received packets, noted 'Sh', and (Sh - 128). If a packet is received with 
a sequence number greater than 'Sh', then 'Sh' is set to this new value. The router checks that packets 
have sequence numbers that conforms to the reception window but the router does not reorder packets. 


Setting Path MTU Discovery 


To configure path MTU discovery, use the following command in tunnel interface configuration mode: 


CLI (config-if)> tunnel path-mtu-discovery 


To remove path MTU discovery (PMTUD), use: 


CLI (config-if)> no tunnel path-mtu-discovery 


When the PMTUD is activated, the router sends every tunnel packets with the DF bit set as '1', so that 
packets exceeding the MTU of routers along the tunnel path are dropped. The router dropping a packet 
must issue an ICMP error message indicating the MTU. When PMTUD is activated, the originating router 
intercepts the ICMP error message and resets its tunnel MTU so that it corresponds to the lowest MTU 
along the tunnel path. 


Additional parameters for Path MTU Discovery: 


e The path MTU will decrease as paths with lower MTU paths are discovered. However, the path MTU 
should be increased if such low MTU path disappear, hence an aging timer to increase path MTU 
again (default: 10 minutes, infinite disables the aging timer). 
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CLI (config-if)> tunnel path-mtu-discovery { age-timer <minutes 10-30> 
| infinite} 
e To prevent path MTU to be excessively lowered, a minimum MTU can be set (default: 92 bytes). 


CLI (config-if)> tunnel path-mtu-discovery min-mtu <bytes 92-65535> 


3.2.6 Setting the TOS field 


By default the DSCP and IP precedence values are not changed when entering the tunnel interface, they 
are copied from the original packet. 


To set a new DSCP value in the outgoing packets on the tunnel interface, use the following command in 
tunnel interface configuration mode: 


CLI (config-if)> tunnel dscp <0..63> 


To return to the default behavior and not changing the DSCP value, use: 

CLI (config-if)> no tunnel dscp 
To set a new IP precedence value in the outgoing packets on the tunnel interface, use the following 
command in tunnel interface configuration mode: 


CLI (config-if)> tunnel precedence <0..7> 


To return to the default behavior and not changing the IP precedence value, use: 


CLI (config-if)> no tunnel precedence 
3.2.7 Setting Keepalive 


The keepalive is a feature that monitors a GRE tunnel. Some keepalive packets are sent periodically and 
must be looped back by the remote-end. The successful reception of looped keepalive is considered as 
the criterion to keep the GRE tunnel interface as up. 


By default, the keepalive feature is deactivated and the tunnel is always up if its configuration is complete 
and a route to the tunnel destination is known. lf keepalive is enabled, the tunnel is down as long as no 
answer from the remote is received (i.e. the remote has not looped received keepalive packets). Keepalive 
packets are sent periodically (default: 10 seconds). When the tunnel is up, the tunnel interface can go 
down after a configurable number of successively unsuccessful keepalive packets (default number of 
retries: 3). To activate keepalive, type the following command under tunnel interface configuration mode: 


CLI (config-if)> keepalive [ <period-in-seconds> [ <number-of-retries> ] J] 


To disable keepalive: 


CLI (config-if)> no keepalive 
3.2.8 Disabling the tunnel interface 


To disable an existing tunnel, use the shutdown command in tunnel configuration mode. This means that it 
will no longer be able to receive and send data packets. 


CLI (config-if)> shutdown 


To re-enable the tunnel, use: 


CLI (config-if)> no shutdown 


If an interface is shutdown, the address or addresses assigned to that interface will be unreachable. If one 
pings one of the interface addresses, it will not work. 
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3.3 TUNNELING CONFIGURATION EXAMPLES 


This simple example shows how to configure a GRE tunnel. This example can be used for all platforms. 















Router A 
ATM 0.1: 50.0.0.3 
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ATM 0.1: 50.0.0.4 
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Untrusted 
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10.1.2.0/24 10.1.3.0/24 









Tunnel 1: Tunnel 1: 
Src: 50.0.0.3 Src: 50.0.0.4 
Dst: 50.0.0.4 Dst: 50.0.0.3 


10.1.3.0/24 10.1.2.0/24 





In this example, two devices connect to each other via a WAN interface. To connect the two sub-networks 
without modifying IP headers, a tunnel interface is created. 


IP address 10.1.3.1 on router A permits to connect 10.1.3.0/24 route to tunnel interface. IP address 
10.1.2.1 on router B permits to connect 10.1.2.0/24 route to tunnel interface. Note that assigned IP 
addresses on tunnel interfaces are only used for routing. 


The configuration script is as follows for router A: 


interface FastEthernet 0/0 

ip address 10.1.2.1 255.255.255.0 
exit 

interface Tunnel 1 

ip unnumbered fastethernet 0/0 
tunnel source atm 0.1 

tunnel destination 50.0.0.4 
exit 

interface Atm 0 

gshdsl 

execute 

exit 

exit 


interface Atm 0.1 

pvc ipoa vpi O vci 32 

ip address 50.0.0.3 255.255.255.0 
execute 

exit 

exit 


The configuration script is as follows for router B: 


interface FastEthernet 0/0 
ip address 10.1.3.1 255.255.255.0 
exit 


interface Tunnel 1 


ip unnumbered fastethernet 0/0 
tunnel source atm 0.1 
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tunnel destination 50.0.0.3 
exit 


interface Atm 0 
gshdsl 

execute 

exit 


exit 


interface Atm 0.1 

pvc ipoa vpi O vci 32 

ip address 50.0.0.4 255.255.255.0 
execute 

exit 


exit 





3.4 TUNNELING DEBUG AND TRACE 


To enable IP tunneling debugging, use the following command: 


CLI> debug ip tunnel 


To disable IP tunneling debugging, use the ‘no’ form of the above command. 
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AYER TWO TUNNELING PROTOCOL (L2TP) 
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L2TP PRESENTATION 


L2TP is a protocol defined in RFC 2661 (L2TP version 2), which enables subscribers using PPP to be 
connected to their home networks over a variety of transport technologies. PPP remote systems 
(Subscribers) use different access technologies, such as ISDN, analog phone line (POTS) or DSL. A layer- 
two connection is normally achieved between the remote system and the Network Access Server (NAS) or 
the Broadband Access Server (BAS). Instead of terminating the PPP session in this device, the PPP 
session is relayed in a L2TP tunnel. 


PPP 
Remote 


a LAC ibe Tunnet ~ 
—— 











ISP/ 
Internet 













oven” 


(over ADSL 
SHDSL, 
ISDN, ...) 
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The PPP transport in L2TP is transparent to the PPP protocol. Therefore, the remote L2TP end-point is 
also the remote PPP endpoint and is called the L2TP Network Server (LNS). 


The peer device of the LNS is the L2TP Access Concentrator (LAC), which usually initiates the L2TP 
tunnel and encapsulates PPP packets from one or more PPP remote systems. 


When the LAC and remote system are combined in one router, the router creates a PPP virtual interface 
that directly encapsulates PPP packets in L2TP packets. The virtual interface forms what is called LAC 
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client tunnel interface. As a LAC client is a tunnel interface, the newly formed L2TP packets are re-routed 
by the router like in a GRE or IPsec tunnel. 
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The advantage of L2TP is to ease integration of PPP using various access technologies and to transport 
seamlessly PPP sessions across several providers' networks. 





4.2 


4.2.1 


4.2.2 


LNS CONFIGURATION (L2TP SERVER) 


Note: as of V4.3R2E2 software release, L2TP server is not supported outside default VRF. 
Features 


The current version of OneOS provides the LNS function, with the following characteristics: 
e Configuration based on virtual profiles (PPP and L2TP) 

e Authentication of PPP users using username and password 

e Authentication of PPP users via RADIUS, support of redundant RADIUS servers 


e Configurable flow control and authentication procedures 
L2TP/PPP Virtual Template 


An L2TP/PPP virtual template is a template describing common characteristics of the PPP interfaces, 
which are set-up dynamically when a PPP session is established. The template makes reference to a PPP 
profile that describes common configuration parameters of the PPP layer. 


The virtual template describes the configuration parameters for the IP interfaces which are dynamically 
mounted when the PPP session is running. A user can configure in a virtual template the IP services which 
are managed by the routing software; these can be access lists, QoS, NAT ...etc. 


The configuration steps first require a PPP profile to be specified, this is done in global configuration mode: 


CLI (configure)> interface virtual-template <12tp-ppp-template-id> 
CLI (configure-virtual-ppp)> ppp-profile <profile-id> 


12tp-ppp-template-id Is a positive integer identifier, which uniquely references the template. 
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profile-id points to a PPP profile, which must have been defined as shown in section "PPP Virtual 
Template Configuration” in "OneOS — WAN User Guide" document (case PPP with IPCP dynamic). 


Note that the CLI is entered in virtual PPP interface configuration mode. For this interface configuration 
mode, you can define some interface-independent IP services. Here are some examples: 


CLI (configure-virtual-ppp)> ip access-group test out 
CLI (configure-virtual-ppp) > service-policy output test 
CLI (configure-virtual-ppp)> ip nat inside overload 


To start the L2TP service, enter the following command from global configuration mode: 


CLI (configure)> 12tp enable 


Note: to disable the L2TP service, use the no 12tp enable command, which is the default status. 


If the number of PPP sessions inside L2TP tunnels must be restricted to a specified value, use the 
following command: 


CLI (configure)> 12tp session-limit <1-300> 


By default, the number of sessions is limited to 300. 


It is then necessary to create an L2TP group that contains all configuration parameters for an L2TP tunnel, 
which is established with a single peer. The command is the following: 


CLI (configure)> 1l2tp-group <group-name> 
CLL (contig=L2tp-Ggroup) > 


group-name is a String, uniquely identifying the L2ETP group. The command makes the CLI enter in L2TP 
configuration mode. 


When the first PPP session supported by the L2TP group is initiated, the L2TP tunnel must be first 
established. The LNS must match the LAC request with a L2TP group in order to determine which L2TP 
parameters shall be used. To do so, the LAC host name is used. The user must enter the LAC host name 
corresponding to the L2TP group: 


CLI (config-l2tp-group) > terminate-from hostname <LAC-hostname> 


In case the LAC host name is not Known in advance (nomad users for example), use default as name of 
the L2TP group. OneOS will use the parameters of the L2TP group named default when the LAC host 
name is not found in another L2TP group (see first example below). 


CLI(configure)> 12tp-group default 
CLA(COnLig=LZtp=Group).> 


4.2.3 L2TP Group Configuration 


In this L2TP tunnel, the LNS receives PPP establishment requests. As a PPP server, the LNS must 
authenticate and return the IPCP parameters to the PPP caller after authentication. As PPP configuration 
parameters share common characteristics per caller, they are described in a L2TP/PPP virtual template 
(cf. section 4.2.2). The L2TP group configuration only needs to refer to that configuration template (one 
single PPP template is accepted): 


CLI (config-l2tp-group) > 1lns-incoming 

CLI (config-lns)> virtual-template <template-id> 
CLI (config-lns)> exit 

CLI (contig=L2tp=group) > 


To authorize the L2TP tunnel establishment, an authentication between the L2TP peers can be required, 
using a login/password couple. The authentication is enabled using the following command: 


CLI (config-1l2tp-group)> 12tp tunnel authentication 


Use no 12tp tunnel authentication to disable authentication. The authentication parameters are 
given as follows, beginning in 12tp-—group configuration mode: 


CLI (config-l2tp-group)> local name <hostname> 
CLI (config-1l2tp-group)> 12tp tunnel password <password> 


If the login/password must be encrypted for authentication confidentiality, use the next command: 
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CLI (config-1l2tp-group)> 12tp hidden 


Another way of doing for authentication is to authenticate the L2TP peers (PPP callers) using PAP/CHAP 
(for nomad users for example). In that case, use the following command as many times as needed in 
global configuration mode to enter the username and password of the L2TP peers. 


CLI (configure)> username <name> password <password> [o]1] 


0 (default value) means that the password is entered in clear text (it will be stored and then displayed 
encrypted). 1 means that the password is entered already encrypted. 


All the following parameters are optional. 


L2TP embeds a flow-control mechanism for PPP payload packets (disabled by default), which is activated 
using the following command: 


CLI (config-l2tp-group)> 12tp sequencing 


Use no 12tp sequencing to disable flow control. Several other parameters can be entered: 


CLI (config-l2tp-group)> 12tp tunnel hello <interval> 


interval Is the interval between each "hello" message that keeps the tunnel alive. Default: 60 sec. 


CLI (config-l2tp-group)> 12tp tunnel retransmit retries <retries> 


retries is the number of "retries” to consider the L2TP tunnel as out-of-service. Default: 5. 


CLI (config-l2tp-group)> 12tp tunnel retransmit timeout max <interval> 


interval Is the time between each retransmitted message. Default: 16 sec. 


CLI (config-l2tp-group)> 12tp tunnel receive-window <number-of-packets> 


number-of-—packets Is the number of PPP payload packets that can be sent without acknowledgement 
(only relevant if flow control is activated). Default: 4. 


CLI (config-l2tp-group)> 12tp tunnel inactivity timeout <interval> 


interval is the time with no data traffic after which the L2TP must be closed. Default: disabled. 
4.2.4 LNS Configuration Examples 


In the first example, the LNS configuration enables the connection of 60 PPP subscribers that are nomad 
users connected through the Internet using IPsec and with L2TP peers authentication using CHAP with 
user name and password. PPP subscribers are then authenticated at PPP level. 
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The L2TP tunnels are established between the various LAC (which names are not known in advance) and 
the LNS. The PPP subscribers receive their IP address through the LNS server, which takes addresses 
from the address pool named PPPPOOL. 
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! Define usernames and passwords for L2TP peers 
username L2TPName0Ol1 password 483cc1b294dad69dd69869c674bc 1 
username L2TPName02 password 473bc7J7aca4cae093a9c53££055dc 1 


username L2TPName60 password 706478fbc0aee68d72fca08fa48e 1 


! Configure IP address pool and IP access list 
ip local pool PPPPOOL 192.168.12.1 192.168.12.60 
ip access-list standard PCACL 

permit 172.31.100.1 

exit 


! Configure IPsec material 
crypto engine enable 
crypto ipsec transform-set ESP-3DES-SHA 
esp-3des esp-sha-—hmac 

mode transport 
exit 
crypto isakmp policy 3 

encryption 3des-—cbc 
exit 
crypto isakmp keepalive 
crypto isakmp check-interval 20 
crypto isakmp identity hostname 
crypto isakmp key MyPresharedKey address 0.0.0.0 0.0.0.0 
crypto dynamic MyCryptoDyn 

match address PCACL 

set transform-set ESP-—3DES-—SHA 
exit 
crypto map dynamic MyMapName 10 MyCryptoDyn 


! Configure IP material 

interface virtual-template 11 
ppp-profile 1 

no ip directed—broadcast 
exit 

interface FastEthernet 0/0 

ip address 192.168.1.10 255.255.255.0 
exit 

interface FastEthernet 0/1 

ip address 10.0.28.15 255.255.248.0 
exit 

interface FastEthernet 0/3 

ip address 172.31.100.1 255.255.255.0 
crypto map MyMapName 

crypto ipsec df-bit clear 
exit 

interface Loopback 1 

ip address 192.168.12.100 255.255.255.255 
exit 


! Configure PPP template (here username and password are not used) 
virtual-template ppp 1 
ip unnumbered Loopback 1 
authentication chap one-way-called 
username test 
no password 
keepalive 10 retry 20 
peer default ip pool PPPPOOL 
execute 
exit 
ip route 0.0.0.0 0.0.0.0 10.0.24.100 


! Configure L2TP material 
12tp enable 

12tp session-limit 300 
12tp-group default 
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12tp tunnel connection retries 2 
12tp tunnel connection timeout 10 
12tp tunnel hello 30 

12tp tunnel retransmit retries 6 
12tp tunnel retransmit timeout max 5 
ilns-incoming 

virtual-template 11 

exit 
exit 


In the second example, the LNS configuration enables the connection of 50 PPP subscribers connected 
through a DSL access network with PPP authentication achieved with RADIUS server. 
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The L2TP tunnel is established between the LAC (named 1lac-32 for L2TP tunnel establishment) and the 
LNS. The PPP subscribers receive their IP address through the LNS server, which takes addresses from 
the address pool named PPPPOOL. 


! Configure IP addresses for pool and Ethernet interfaces 
ip local pool PPPPOOL 60.3.1.1 60.3.1.50 

interface FastEthernet 0/0 

ip address 20.1.1.25 255.0.0.0 

exit 

interface Ethernet 0/0 

ip address 220.0.0.25 255.255.255.0 

ip address 192.178.10.25 255.255.255.0 secondary 

exit 


! Configure loopback address to unnumbered PPP interfaces 
interface Loopback 2 

ip address 70.0.0.1 255.255.255.0 

exit 


! Define template 11 for an L2TP group, which uses the PPP profile 1 
interface virtual-template 11 

ppp-profile 1 

exit 


! Characteristics of the PPP profile #1 
virtual-template ppp 1 

ipecp dynamic 

ip unnumbered loopback 2 

mru local 1500 no 

authentication pap 

keepalive 10 

peer default ip pool PPPPOOL 
radius-server 192.178.10.43 ip2002 
execute 

exit 
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ip route 0.0.0.0 0.0.0.0 ethernet 0/0 


! L2TP settings 

12tp enable 

12tp-group test 
terminate-from hostname lac-—32 
12tp tunnel authentication 
12tp tunnel password mypwd 
1lns-incoming 

virtual-template 11 

exit 

exit 


4.2.5 LNS Statistics and Debug 


To show L2TP tunnels, use the following command (‘all' provides detailed information): 


CLI> show 12tp tunnel [all] 


To show L2TP transport statistics at the UDP layer, use the following commands: 


CLI> show 12tp tunnel transport 


To show L2TP sessions, use the following commands: 


CLI> show 12tp session 


CLI> show 12tp session all 


Some debugging commands are also available to display on the console real-time execution of the 


L2TP/PPP protocol: 
All debug information: 
CLI> debug 12tp all 


Debug only alarms: 


CLI> debug 12tp alarm 


Debug the L2TP core information: 


CLI> debug 12tp core 


Debug L2TP protocol state transition information: 
CLI> debug 12tp fsm 


Debug L2TP-PPP interactions: 
CLI> debug 12tp ppp 


Debug L2TP-UDP interactions: 
CLI> debug 12tp transport 
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4.3 


4.3.1 


4.3.1.1 


LAC-CLIENT (L2TP CLIENT) 


Note: as of V4.3R2E2 software release, L2TP client is not supported outside default VRF. 
Configuration 


As explained above, a LAC-client interface consists of two layers of protocols: 
e L2TP: the L2TP layer parameters are configured within an 12tp_group. 


e PPP: the PPP parameters are configured within a virtual-template ppp, similarly to an ISDN 
dial-out interface. The configuration parameters found in a PPP virtual-template are not further 
explained in this section. For more information on such templates, please refer to section "PPP Virtual 
Template Configuration" in "OneOS — WAN User Guide" document. The virtual-template is then 
associated with an L2TP-client tunnel interface (12tunne1). 


L2TP configuration 


To start the L2TP service, enter the following command from global configuration mode: 


CLI (configure)> 12tp enable 


Note: to disable the L2TP service, use the no 12tp enable command, which is the default status. 


It is then necessary to create an L2TP group that contains all L2TP-layer configuration parameters, which 
is established with a single peer. The command is the following: 


CLI (configure)> 12tp-group <group-name> 
group-name Is a string, uniquely identifying the L2TP group. The last command makes the CLI enter in 
L2TP configuration mode. 


When the first PPP session supported by the L2TP group is initiated, the L2TP tunnel must be first 
established. The LNS must match the LAC request with an L2TP group in order to determine which L2TP 
parameters shall be used. To do so, the LAC host name is used. The LAC-client hostname is configured 
as follows (it must correspond to the terminate-from hostname <hostname> on the LNS side): 


CLI (config-l2tp-group)> local name <LAC-hostname> 
To authorize the L2TP tunnel establishment, an authentication between the L2TP peers can be required, 
using a login/password couple. The authentication is enabled using the following command: 

CLI (config-l2tp-group)> 12tp tunnel authentication 
Use no 12tp tunnel authentication to disable authentication. The authentication parameters are 
given as follows, beginning in 12tp-group configuration mode: 


CLI (config-l2tp-group)> 12tp tunnel password <password> 


If the login/password must be encrypted for authentication confidentiality, use the next command: 


CLI (config-l2tp-group)> 12tp hidden 


You must enter also the IP address of the LNS: 

CLI (config-l2tp-group)> initiate-to ip <lns-ip> [backup] 
Only one main and one backup LNS are supported. OneOS attempts to contact the backup LNS only if the 
main LNS is not responding. If the main LNS is responding but the tunnel setup fails, the backup LNS is 


not contacted as it is assumed that the configured parameters are wrong. The backup LNS IP address is 
entered by adding the keyword backup in the command. 
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Instead of static IP, the IP addresses of the LNS routers can be retrieved via AAA (RADIUS) using the 
following command: 


CLI (config-l2tp-group) > authorization 
Both modes (AAA or RADIUS) are mutually exclusive. The authorization mode becomes effective after that 
the next command is entered: 
CLI(configure)> aaa authorization network { radius 
| group <radius-—aaa-group> } 
Please check that a route to the configured LNS is present in the routing table. 


Then, you must enter the domain name of the LAC-function. The domain name is understood as follows: in 
the PPP parameters, a username is defined for authentication. The username is always under the 
following form: <user>@<domaine.com>. When you will configure the 12tunnel interface (LAC 
client), the L2TP domain name must match PPP domain name (if PPP username is “vivaldi@dependable- 
routers.com”, the L2TP domain name must be “dependable-routers.com”). The domain name is entered as 
follows: 


CLI (config-l12tp-group) > lac-incoming 
CLI (lac-incoming) > domain <domain-name> 
CLI (lac-incoming)> exit 


lac-incoming refers to the fact the interface is seen as a L2TP access concentrator by the LNS and it 
establishes an incoming PPP session into the network accessed via the LNS. 
Optional Commands: 


L2TP embeds a flow-control mechanism for PPP payload packets (disabled by default), which is activated 
using the following command: 


CLI (config-l2tp-group)> 12tp sequencing 


Use no 12tp sequencing to disable flow control. Several other parameters can be entered: 


CLI (config-l2tp-group)> 12tp tunnel hello <interval> 


interval Is the interval between each "hello" message that keeps the tunnel alive. Default: 60 sec. 


CLI (config-l2tp-group)> 12tp tunnel retransmit retries <retries> 


retries Is the number of "retries" to consider the L2TP tunnel as out-of-service. Default: 5. 


CLI (config-l2tp-group)> 12tp tunnel retransmit timeout max <interval> 


interval Is the time between each retransmitted message. Default: 16 sec. 

CLI (config-l2tp-group)> 12tp tunnel receive-window <number-of-packets> 
number-—of-packets Is the number of PPP payload packets that can be sent without acknowledgement 
(only relevant if flow control is activated). Default: 4. 


CLI (config-l2tp-group)> 12tp tunnel inactivity timeout <interval> 


interval is the time with no data traffic after which the L2TP must be closed. Default: disabled. 


Path MTU Discovery (PMTUD) is a function that forces the Don’t-Fragment (DF) bit of every L2TP packet 
to 1. If a packet whose DF=1 Is routed on an interface having an MTU smaller than the packet, the packet 
is dropped and an ICMP error message is returned to the sender indicating the interface MTU. PMTUD 
takes into account this information and lowers automatically the MTU of the interface. To activate PMTUD, 
enter the following command: 


CLI (config-l2tp-group)> [no] ip pmtu 


The TOS value of the encapsulated IP packet is copied into the L2TP IP header if the following command 
is entered (default: not active): 


CLI (config-l2tp-group)> [no] ip tos 


4.3.1.2 |PPP-LAC-Client Tunnel Configuration 
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To create the LAC-client tunnel interface, select the tunnel ID and enter under L2TP interface configuration 
mode from the global configuration mode: 


CLI(configure)> interface 12tunnel <tunnel-id> 


Attach then the PPP virtual template: 
CLI (config-if)> ppp-profile <ppp-virtual-template-id> 


As a logical IP interface, you can configure IP services under the L2TP interface as follows: 


CLI (config-if)> ip access-group <acl-name> in 
CLI(config-if)> ip tcp adjust-mss <length> 


4.3.1.3. LAC Tunnel Accounting 


If the following command is entered: 


CLI (configure)> aaa accounting network <acc-service-name> 
start-stop group <radius-aaa-group> [wendor-id-override <id>] 


Accounting messages (tunnel ON-OFF) are sent to the RADIUS server of the AAA group. By default, the 
vendor-id in the RADIUS request is OneAccess but it can be overridden to match <id> that is a numerical 
value. 


4.3.1.4 _PPP-LAC-Client Configuration Example 


hotspot>show running-config 
Building configuration... 


Current configuration: 


hostname hotspot 

virtual-template ppp 1 
ipcep static 

ip address 20.0.0.2 
authentication pap 
username bill@monica.com 
password toto 
reconnection automatic 
execute 

exit 

interface adsl 0 

modem mode AUTO 
execute 

exit 

interface atm 0 

driver ident 0 
max channels 10 
max vp 5 
max vc 8 
range vp min O max 255 
range vc min 32 max 100 
execute 

exit 

adsl 
execute 
exit 

exit 

interface atm 0.1 

pvc pppoa vpi 8 vci 36 
ipcp dynamic 
authentication pap 
username onel1l00@hotspot 
password toto 
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execute 
exit 
ip nat inside overload 
exit 
ip route 0.0.0.0 
ip route 219.1.1. 
12tp enable 
12tp-group tunnel 
local name hotspot 
initiate-to ip 219.1.1.100 
lac-—incoming 
domain monica.com 
exit 
exit 
interface 12tunnel 1 
ppp-profile 1 
ip tcp adjust-mss 1400 
ip nat inside overload 
exit 


.0.0.0 12tunnel 1 
255.255.255.0 221.13.10.20 


Oo oO 


4.3.2 LAC Statistics and Debug 


To show L2TP tunnels, use the following command (‘all' provides detailed information): 
CLI> show 12tp tunnel [all] 


To show L2TP transport statistics at the UDP layer, use the following commands: 


CLI> show 12tp tunnel transport 


To show L2TP sessions, use the following commands: 


CLI> show 12tp session 
CLI> show 12tp session all 


To show the L2TP/PPP protocol statistics, use the following command: 


CLI> show statistics 12tunnel ppp all 


A debugging command displays on the console real-time execution of the L2TP/PPP protocol: 
CLI> debug 12tunnel 


The next debugging command displays L2TP/PPP protocol state changes: 
CLI> event filter add wan 12tp all show 
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5 IPV4 ACCESS LISTS 


This section describes the features of IPv4 Access Control Lists (ACL) and their configuration. 





52 ACL FEATURES (IPV4) 


IP Access Control Lists, or simply, Access Lists, provide an efficient means to protect corporate networks 
against potential outside intruders and to control access rights for inside users. They can be used to 
perform simple access control (on source address, for example) or advanced control (on any combination 
of IP and transport protocol header fields). Users generally install access lists on the edge router to filter 
traffic incoming and outgoing the interface connected to the public network. 


Access lists can be considered containers of filters, which in turn define specific criteria for matching IP 
packets. Each filter also specifies the action (i.e., permit or deny) to be performed when matching a packet. 
Access lists can be applied to any interface in either the inbound or outbound direction. 


5.1.1 Standard Access Lists 


Standard access lists are the simplest form of access control. They provide traffic filtering only on IP 
source addresses. 


5.1.2 Extended Access Lists 


Extended access lists provide advanced traffic filtering. They can filter packets using any combination of 
the following IP and transport protocol header fields: IP source and destination addresses, DSCP code, IP 
protocol identifier, TCP/UDP source and destination port numbers, as well as ICMP type and code. 


5.1.3 Reflexive Access Lists 


An extended access list can be reflexive. When a flow matches this list and the action is permitted, an 
appropriate temporary filter will be automatically set up in the reverse direction to allow subsequent 
session messages to pass through the device. Reflexive access lists are very useful for protection against 
address spoofing. With reflexive access lists, it becomes very easy to allow sessions to be initiated only 
from inside hosts. 


5.1.4 Local Access Lists 


A local access list matches only the local traffic (i.e. traffic destined to or generated by the router). Local 
access lists are useful, when there is a NAT inside overload configuration, to limit the access to the router 
without interfering with other traffics. The local access lists can be either standard or extended access lists. 


531.5 Reverse Path Forwarding 
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A malicious user may steal the address of another host and use it as source address to carry out attacks 
on the network; for example, DOS (Denial of Service) attacks. In this case, it is very difficult to trace the 
source of the intrusion(s). With reverse path forwarding (RPF), the source address of a packet is checked 
and used to find a reverse route. The packet is forwarded only if a reverse route to the source is found, 
and the packet is received from the output interface of that route. 


5.1.6 ICMP Unreachable 


When a packet is dropped by an access list, an ICMP unreachable message can be sent according to a 
configuration parameter. 


5.1.7 Context Based Access Control 


Access lists can track FTP control sessions so that appropriate actions can be performed for FTP data 
transfer sessions (for example, reflexive access lists). In addition, access lists perform session-based 
control for protocols such as TCP, UDP and ICMP. 


This control mode enables also full TCP packet inspection, namely detection of TCP SYN packets initiating 
the connection, RST or FIN packets ending the connection. TCP packet inspection also protects from TCP 
sequencing replay. 


Such control also limits the configured maximum number of sessions and TCP half-sessions on the router. 
(A half session is a session for which only a SYN packet was intercepted and the router waits for a 
SYN_ACK packet). When the limits are reached, packets are dropped. 


5.1.8 Per-Host Inspection 


When context based access-control is not enabled, per-host inspection controls the number of sessions 
per—source host. Each session initiated by a host is accounted. When the number of sessions for the same 
source host reaches a defined threshold, further packets are dropped. Log messages inform the 
administrator about a potential attack. Such limitation per host protects the router against some flooding 
attacks: without per host inspection, a user may initiate many sessions until the maximum number of 
sessions is reached. When the global session limit is reached, the router drops any packet opening a new 
session, until some sessions are removed. 


When context based access-control is not enabled, per-host inspection also controls the maximum number 
of half-sessions per host, thus preventing SYN-flooding attacks. 


5.1.9 Fragmentation 


Fragmented packets can be used to attack a network (known as tiny fragment attacks). To protect the 
inside network from this type of attack, the following mechanism is implemented by default. The first initial 
fragment, which contains all information necessary for matching access lists, must be received first. This 
implies that, in a TCP packet, the entire TCP header must be contained in the first fragment. For 
subsequent fragments, access lists carry out context-based control. 


For flexibility, it is possible to disable this feature, which allows IP fragments to be forwarded regardless of 
the arrival sequence. 


OneOS can hold disordered fragments in a list until the first fragment arrives. Once the first fragment 
treated, the rest of the fragments list is popped. This feature is activated only when NAT or ACL is 
configured on an interface and has no effects on non-fragmented packets. 


5.1.10 Logging and Statistics 


Access lists provide log information for matching packets, either denied or permitted. Information can be 
displayed either on the console, or logged to a file. Upon the first match of a filter, a log message will be 
issued. Then upon succeeding matches, a summary log message is periodically issued. The level of 
logging detail can be configured. 


When context based access-control is enabled, the audit mode logs information for each session. 


5.1.11 Interface Attachment 
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An access list can be attached to an interface in either inbound or outbound directions. Packets are 
permitted without control if an access-list is not attached to the interface in the direction of packet flows. 
Otherwise, the permission or denial of a packet is controlled by the attached access list or the reflexive 
access list in the other direction. 


An ICMP error packet undergoes different processing from other packet types. If the attached access list 
explicitly forbids ICMP error packets to pass, then it is dropped. Otherwise, the embedded packet in the 
ICMP error packet is extracted and some further checking is performed. The ICMP error packet is 
permitted only if the embedded packet was already seen in the other direction. 


A local access list can be attached to an interface in either inbound or outbound directions. A global local 
access list can also be configured to match all the local traffic when there is no matching interface 
configured. 





LS 4 ACL CONFIGURATION COMMANDS (IPV4) 


An access list is a sequential list of filters. A new filter is always added at the end of the list. Configuration 
order in an access list is significant. A packet is matched against each filter from the beginning to the end 
of the list. Upon the first matching filter, the specified action of that filter is applied and access control 
processing stops. When a packet does not match any filter contained in an access list, the deny action is 
applied by default. 


To setup access lists, there are two steps: 
e Create access lists. An access list is identified by a unique name or number (max 150-char long). 
e Apply the access lists to an interface. 


Note: as of V4.3R2E2 software release, the existence of multiple VRF in router configuration is transparent 
to access lists. Nevertheless the access lists features (such as logging, inspections and timers) are 
globally defined and apply to all VRF. 


5.221 ACL Rule Sequencing 


ACL usually contain a set of permit and deny rules. When a packet is processed by the ACL, it is matched 
against the ACL rules from the first one until the packet matches a rule. The order in which rules are 
entered is therefore very important. It might be then useful to insert rules at a specific place in ACL rule list. 


By default, rules have an implicit sequence number: the first rule gets the sequence number 1, the 2” rule 
gets 2, the 3 rule gets 3 ... 

If you configure a permit/deny rule without providing a sequence number, the rule is inserted at the end of 
the list. If you configure a rule with “i” as sequence number, the rule is inserted after the rule (i-1). If 
there is already a rule at the i” position, the i*” rule sequence number and the sequence numbers of the 
subsequent rules are offset by 1. 


5.2.2 Standard Access Lists 


To create a standard access list, use the following command in global configuration mode: 


CLI(configure)> ip access-list standard <acl-name: 1-150> 


To add a filter to the access list, use the following commands: 


CLI (ip-acl-std)> deny any [log] 

CLI (ip-acl-std)> permit any [log] 

CLI (ip-acl-std)> deny <source-address> [<wildcard>] [log] [sequence <1- 
100000>] 

CLI (ip-acl-std)> permit <source-address> [<wildcard>] [log] [sequence <1- 
100000>] 


The optional log keyword enables log information when a packet matches the filter. To delete a filter from 
an access list, use the no form of that command: 
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CEL 
Chi 
Chi 
CLI 


ip-acl-std)> no deny any [log] 

ip-acl-std)> no permit any [log] 

ip-acl-std)> no deny <source-address> [<wildcard>] [log] 
ip-acl-std)> no permit <source-address> [<wildcard>] [log] 


mt ~— ~~ 


Comments can be added to the access list, by using the following command: 
CLI (ip-acl-std)> remark <description-text> 
CLI (ip-acl-std)> exit 
The comment can be deleted within an access list by using the following command: 


CLI (ip-acl-std)> no remark 


To delete the standard access-list, use the following command in global configuration mode: 


CLI (configure)> no ip access-list standard <acl-name> 


5.2.3 Extended Access Lists 


To create an extended access-list, use the following command in global configuration mode: 


CLI(configure)> ip access-list extended <acl-name: 1-150> 


To add a filter for TCP/UDP packets in the access-list, use the commands: 


CLI (ip-acl-ext)> permit { tcp | udp } <source-address> <source-wildcard> 
[<source-portl> [<source-port2>]] <dest-address> <dest-wildcard> 
[dest-portl [<dest-port2>]] [dsep <0-63>] [precedence <0-7/>] 
[log] [fragments] [sequence <1-100000>] 


CLI (ip-acl-ext)> deny { tcp | udp } <source-address> <source-wildcard> 
[<source-portl> [<source-port2>]] <dest-address> <dest-wildcard> 
[<dest-portl> [<dest-port2>]] [dscp <0-63>] [precedence <0Q-7/>] 
[log] [sequence <1-100000>] 


The fragments keyword is obsolete by a more advanced mechanism. Please refer to 5.2.6. The 
fragments keyword, if present, disables the control on fragmented packets. Any fragmented packet 
matching the IP protocol type, the source and destination addresses, and DSCP value will be selected by 
the filter. 


To add a filter for ICMP packets in the access-list, use the commands: 


CLI (ip-acl-ext)> permit icmp <source-address> <source-wildcard> 
<dest-address> <dest-wildcard> [icmp-type <0-255> [icmp-code <0-255>]] 
[dscp <0-63>] [precedence <Q0-7>] [log] [fragments] [sequence <1-100000>] 


CLI (ip-acl-ext)> deny icmp <source-address> <source-wildcard> 
<dest-address> <dest-wildcard> [icmp-type <0-255> [icmp-code <0-255>]] 
[dscp <0-63>] [precedence <0-7>] [log] [sequence <1-100000>] 

To add a filter for any other protocol packets in the access-list, use the commands: 


CLI (ip-acl-ext)> permit ip [<protocol-id>] <source-address> 
<source-wildcard> <dest-address> <dest-—wildcard> [dsep <0-63>] 
[precedence <0-7>] [log] [fragments] [sequence <1-100000>] 


CLI (ip-acl-ext)> deny ip [<protocol-id>] <source-address> 
<source-wildcard> <dest-address> <dest-wildcard> [dsep <0-63>] 


[precedence <0-7>] [log] [sequence <1-100000>] 


Comments can be added to the access-list by using the following command: 


CLI (ip-acl-ext)> remark <description-text> 
CLI (ip-acl-ext)> exit 


To delete a filter from the extended access-list, use the no form of the above-referenced commands. 
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To delete the extended access-list, use the following command in global configuration mode. 


CLI(configure)> no ip access-list extended <acl-name> 
5.2.4 Reflexive Access Lists 
To create an extended access-list with reflexive filters, add the keyword ‘reflexive’ at the end of a filter 
command. 


For example: 


CLI(configure)> ip access-list extended <acl-name: 1-150> 
CLI (ip-acl-ext)> permit { tcp | udp } <source-address> <source-wildcard> 
[<source-portl> [<source-port2>]] <dest-address> <dest-wildcard> 


[<dest-portl> [<dest-port2>]] [dscp <0-63>] [precedence <0-7>] [log] 
[fragments] reflexive [sequence <1-100000>] 


CLI (ip-acl-ext)> permit icmp <source-address> <source-wildcard> 
<dest-address> <dest-wildcard> [icmp-type <0-255> [icmp-code <0-255>]] 
[dscp <0-63>] [precedence <Q-7>] [log] [fragments] reflexive 

[sequence <1-100000>] 


CLI (ip-acl-ext)> permit ip [<protocol-id>] <source-address> 
<source-wildcard> <dest-address> <dest-wildcard> [dscp <0-63>] 
[precedence <0-7>] [log] [fragments] reflexive [sequence <1-100000>] 


CLI (ip-acl-ext)> exit 
52225 Reverse Path Forwarding 
To check the reverse path for the source address of received IP packets, use the following command in 


interface configuration mode: 


CLI(config-if)> ip verify reverse-path 


By default, the reverse path is not checked. 


Do not enable this feature on the interface that has been configured with a default route. 


To disable reverse path checking, use the command: 


CLI (config-if)> no ip verify reverse-path 
5.2.6 IP Fragmentation 


ACL and NAT always need at the beginning the first fragment of a packet to perform correctly their 
treatments. The feature permit to hold disordered fragments in a list until the first fragment arrives. Once 
the first fragment treated, the rest of the fragments list is popped. This feature is activated only when NAT 
or ACL is configured on an interface and has no effects on non-fragmented packets. 


The IP fragmentation can be tuned by setting the maximum number of packets and fragments as well as a 
timeout to flush the list: 


CLI (configure)> ip fragment packet-list <1-255> 
CLI (configure)> ip fragment frag-list <1-255> 

CLI (configure)> ip fragment timeout <1-10 seconds> 
CLI(config-if)> ip fragment default 


The default values are: 
e 10 fragmented packets authorized in queue (packet-list) 
e 10 fragments per packets authorized before first packet arrives (frag-list) 


e 3seconds fragments can wait the first fragment before being dropped (timeout) 
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To display the fragmentation statistics, use the following command in global mode: 


CLI> show ip fragment statistics 

IP buffering fragment statistics : 

State: disabled (ACL and NAT not running) 
O fragments received, O fragments accepted 
O packets reassembled, 0 fragments dropped 
O timeouts 


To display the fragmentation configuration, use the following command in global mode: 


CLI> show ip fragment configuration 
IP buffering fragment configuration ; 
State: disabled (ACL and NAT not running) 


ip fragment packet-list Sa 
ip fragment frag-list me cdo 
ip fragment timeout . 
5.2.7 Attaching Access Lists to an Interface 


To attach an access list to an interface in either direction, use the following command in interface 
configuration mode: 


CLI (configure)> interface <type> <unit> 

CLI(config-if)> ip access-group <acl-name> { in | out } 
Only a single access-list can be attached to an interface and to a direction. The access-list should be 
created before attaching it to the interface. 
To detach the access-list from the interface, use the following command: 


CLI(config-if)> no ip access-group { in | out } 
5.2.8 Attaching Local Access Lists to an interface 


Note: as of V4.3R2E2 software release, local access lists are not supported outside default VRF. 


To attach a local access list to an interface in either direction, use the following command in global 
configuration mode: 


CLI(configure)> ip local access-list <aclname> { in | out } [<interface>] 
Only a single local access-list can be attached to an interface and to a direction. The local access-list 
should be created before attaching it to the interface. 


The interface parameter is optional. If not configured, the local access list will be global and applied to 
all the interfaces. 


To detach the local access-list from the interface, use the following command: 
CLI(configure)> no ip local access-list { in | out } [<interface>] 


The interface parameter is optional. If not configured, the global local access list will be detached from 
all the interfaces. 


5.2.9 Re-sequencing Access-lists 


Sequencing permits to assign numbers to filters within an access-list. Each filter owns a Sequence number; 
filters in an access-list are then ordered by ascending sequence number. ACL re-sequencing enables to 
change in which order rules should be applied to an incoming packet. 


It also permits to insert a filter in a non-sequenced access-list. As there is no sense to insert sequenced 
filter in a non-sequenced access-list, this feature is however kept to facilitate insertions. Sequencing 
number is used to insert filter in the position defined by the number of filters in the access-list. Sequencing 
number is automatically lost. 


To sequence or re-sequence an access-list with a defined interval between each filter of the access-list, 
use the following command in configuration mode: 


CLI(configure)> ip access-list resequence <acl-name> [<1-100000>] 
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By default, if no sequencing number is chosen, then each filter is separated by an interval of 1. Use the 
following command to set to default sequencing: 


CLI(configure)> ip access-list resequence <acl-—name> 


To reset Sequencing on an access-list, use the no form of the above command: 


CLI(configure)> no ip access-list resequence <acl-name> 
5.2.10 Changing the Logging Interval 


The logging interval for 'permit' filters is the minimum amount of time between two events from the same 
session, whereas the logging interval for 'deny' filters is the minimum amount of time between two events 
from the same filter. 


CLI(configure)> ip access-list logging <seconds> 


The default interval for logging is 5 minutes. To return to the default value, use the following command: 


CLI (configure)> default ip access-list logging 
S525 4 Changing the Maximum Number of Sessions 


By default, up to 5,000 session contexts can be managed in memory. A session context contains 
information about the session state and characteristics. If you need to manage more sessions, use the 
following command: 


CLI(configure)> ip inspect max-sessions <number> 
5.2.12 Changing the Idle-Timers 


To configure timers to shutdown the existing idle sessions, use the following commands in global 
configuration mode. 


The default timeout value for FTP sessions is 30 seconds. Use the following commands to set the timeout 
value for FTP sessions or to return to the default value: 


CLI (configure)> ip inspect ftp <seconds> 
CLI (configure)> default ip inspect ftp 


The default timeout value for ICMP is 30 seconds. Use the following commands to set the timeout value for 
ICMP or to return to the default value: 


CLI(configure)> ip inspect icmp <seconds> 
CLI (configure)> default ip inspect icmp 


The default timeout value for UDP sessions is 180 seconds. Use the following commands to set the 
timeout value for UDP sessions or to return to the default value: 


CLI(configure)> ip inspect udp <seconds> 
CLI(configure)> default ip inspect udp 


The default timeout value for TCP sessions is 1800 seconds. Use the following commands to set the 
timeout value for TCP sessions or to return to the default value: 


CLI (configure)> ip inspect tcp idle-time <seconds> 
CLI(configure)> default ip inspect tcp idle-time 


In some cases, it is desirable to reduce idle-timers for a specified protocol. Indeed, some applications 
(such aS some peer-to-peer applications for file sharing) create a lot of connections with remote 
computers, thereby consuming many resources on the router (because a memory context is required for 
each session and this memory space is limited). Reducing idle-timers only for these applications will 
reduce the session number kept in router memory by eliminating earlier inactive sessions. (Note that the 
same issue exists with NAT, changing timers for NAT is also recommended in this case). To change the 
idle-timer for a specified protocol, the command is the following (beginning in global configuration 
terminal): 


CLI(configure)> ip inspect port-timeout { tcp | udp } { <protocol-name> 
<port> } <seconds> 
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You can provide the TCP or UDP port or the name of the protocol in clear text. The list of supported 
keywords is provided under'show {tcp|udp} port-—map'. To restore the default idle timer, use the next 
command: 


CLI(configure)> no ip inspect port-timeout { tcp | udp } 
{ <protocol-name> | <port> } 


5.2.13 Stateful Inspection 


Note: as of V4.3R2E2 software release, the existence of multiple VRF in router configuration is transparent 
to stateful inspection. Nevertheless the stateful inspection parameters (such as timers) are globally defined 
and apply to all VRF. 


By default, stateful inspection is not enabled. Stateful inspection means that the TCP flags are checked to 
validate TCP protocol transaction validity. To activate this inspection, use: 


CLI(configure)> [no] ip inspect stateful 
If you wish to audit sessions, use the following command and you will be able to view logs by sessions 
(instead of by ACL) when using the show ip inspect sessions command: 

CLI(configure)> [no] ip inspect audit 
The default value for TCP SYN-wait timeout is 30 seconds. Use the following commands to set the TCP 
SYN-wait timeout or to return to the default value: 

CLI(configure)> ip inspect tcp synwait-time <seconds> 

CLI(configure)> default ip inspect tcp synwait-time 
The default value for TCP FIN/RST timeout is 120 seconds. Use the following commands to set the TCP 
FIN/RST timeout or to return to the default value: 

CLI (configure)> ip inspect tcp finrst-time <seconds> 

CLI(configure)> default ip inspect tcp finrst-time 
The default timeout value for any other protocol sessions is 3600 seconds. Use the following commands to 
set the timeout for any other protocol sessions or to return to the default value: 

CLI(configure)> ip inspect other <seconds> 

CLI (configure)> default ip inspect other 
By default, the maximum number of sessions supported by access-lists is 5000. However, for scaling 
needs, this number is configurable thanks to the following command line: 


CLI (configure)> ip inspect max-sessions <100-100000> 


To restore the default configuration, use the following configuration command line: 

CLI(configure)> default ip inspect max-sessions 
By default, the maximum number of half-open sessions supported by access-lists is 1000. However, for 
scaling needs, this number is configurable thanks to the following command line: 


CLI(configure)> ip inspect half-open <10-10000> 


To restore the default configuration, use the following configuration command line: 

CLI (configure) > default ip inspect half-open 
Generally, alarms are sent before the configured maximum number of sessions. It is possible to configure 
a percentage to trigger alarm at this threshold. Use the following configuration in command line: 

CLI (configure)> ip inspect max-sessions threshold <1-100> 
In the same way, use the following command line to trigger alarm when reaching the maximum number of 
half-sessions: 

CLI (configure)> ip inspect half-open threshold <1-100> 


By default, threshold for both max-session and half-session is fixed to 90%. To restore the default 
configuration, use the following command line: 
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CLI (configure)> default ip inspect half-open threshold 

CLI (configure)> default ip inspect max-sessions threshold 
Alarms are sent according to the following procedure: 
e While one of the above thresholds is reached, alarms are periodically sent every 16 seconds. 
e When the threshold is no more reached, then alarm disappears. 


In order to be informed of a limit reached in an operational context, proprietary MIB traps are enabled 
through the following command line: 


CLI (configure)> snmp acl traps 


To restore the default configuration, use the no form of the above command: 


CLI (configure)> no snmp acl traps 
5.2.14 Per-Host Inspection 


To activate per-host inspection, ensure first that an access-list is attached to an interface. Then, use the 
following command in configuration mode: 


CLI (configure)> ip inspect per-host 


To disable per-host inspection, use the no form of the above command: 


CLI(configure)> no ip inspect per-—-host 


To configure the maximum number of sessions allowed for one host, use the following command line: 
CLI(configure)> ip inspect per-host max-sessions [<5-10000>] 
Default maximum number of sessions per host is 50. To restore the default value, use the following 
configuration command line: 
CLI(configure)> default ip inspect per-host max-sessions 
Used in conjunction with stateful inspection, it is possible to monitor the number of half-session per-host. 


To configure the maximum authorized number of half-sessions per host, use the following configuration 
command line: 


CLI(configure)> ip inspect per-host half-open [<5-100000>] 
Default maximum number of half-sessions per host is 20. To restore the default half-session number per 
host, use the following configuration command line: 


CLI (configure) > default ip inspect per-host half-open 
5.2.15 Per-Host Address Inspection 


The per-host limit is a global limit applicable to all hosts. However, such threshold may fit well for LAN 
workstations, while being not adapted to large servers and proxies creating a large number of legal 
sessions. It is possible to specify a list of IP addresses and declare for each address the desired maximum 
authorized session or half-session. 


To configure the maximum authorized sessions for one specific IP address, use the following command 
line in configuration line: 


CLI (configure)> ip inspect per-host address <A.B.C.D> max-sessions <5- 


10000> 


To configure the maximum authorized half-sessions for one specific IP address, use the following 
command line in configuration line: 


CLI (configure)> ip inspect per-host address <A.B.C.D> half-open <5-5000> 


To disable per-host address configuration, use the no form of the above command: 


CLI(configure)> no ip inspect per-host address [<A.B.C.D>] 
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5.3 ACL CONFIGURATION EXAMPLE (IPV4) 


In this example, the private network is using the address space 10.1.2.0/24. On the private network there 
are some servers, such as HTTP and FTP servers, which should be accessible from the outside network. 
The connection to the Internet is through a DSL interface (atm 0.1). Note that 10.1.2.0/24 is intentionally 


used, which is a private network address. The user must replace the address with public IP address on the 
interface atm 0.1. 


The objectives of the configuration to be set are: 
e To allow inside hosts to connect to any outside hosts. 


e To allow outside hosts to connect only to the inside server(s). Other inbound connections must be 
blocked. 


HTTP server 
10.1.2.11 


































remote host 























Private 
Network —_ 
10.1.2.0 


The access control can be configured using the following commands (assuming other interface parameters 
are properly configured): 


event filter add ip ACL ALL SHOW 
configure terminal 

interface Ethernet 0 

ip address 10.1.2.1 255.255.255.0 
ip verify reverse-path 

exit 


ip access-list extended in_acl 

permit tcp 0.0.0.0 255.255.255.255 10.1.2.11 0.0. 
permit tcp 0.0.0.0 255.255.255.255 10.1.2.11 0.0. 
permit tcp 0.0.0.0 255.255.255.255 10.1.2.11 0.0.0. 
remark permit inbound sessions to inside servers 
exit 


0.0 80 
0.0 20 
0 21 


ip access-list extended out_acl 

permit ip 10.1.2.0 0.0.0.255 0.0.0.0 255.255.255.255 log reflexive 
remark permit all outbound sessions 

exit 


interface atm 0.1 

! ### PVC configuration missing here 
ip access-group out_acl out 

ip access-group in_acl in 

exit 
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5.4 ACL STATISTICS (IPV4) 


Use the following command to display ACL global configuration parameters: 


CLI> show ip inspect config 

tcp synwait-time is 30 sec 

tcp finwait-time is 120 sec 

tcp idle-time is 1800 sec 

udp idle-time is 180 sec 

icmp idle-time is 30 sec 

other idle-time is 300 sec 

ftp idle-time is 30 sec 

log hold time is 300 sec 

maximum opened sessions 5000 

sessions alarm threshold 90 

maximum half-open sessions 1000 

maximum opened sessions per-host 50 
maximum half sessions per-host 20 
session information logging is disabled 
stateful packet inspection disabled 
mis-—ordered fragments buffering disabled 


Use the following command to display ACL global statistics: 


CLI> show ip inspect statistics 
Active/closed/failed sessions 11/1809/495 
Half-opened/closed/failed sessions 0/273/0 
inbound/outbound tcp errors 0/0 

memory allocation failures 0 

inbound/outbound packets dropped 44/0 
inbound/outbound packets permitted 97730/1439 


To clear ACL global statistics, use the following command in global mode: 


CLI> clear ip inspect statistics 


Use the following command to display statistics of configured access-lists: 


CLI> show ip access-lists [<acl-name>] 


Interface Atm0O.1, inbound IP access list in, outbound IP access list out 


IP access list out 
permit any log reflexive (194 matches) 


IP access list in 
permit any host 10.1.2.11 log (53 matches) 


To clear access list counters, use the following command in global mode: 


CLI> clear ip access-lists [<acl-name>] 


Use the following command to display active ACL sessions: 


CLI> show ip inspect session <interface> <unit> 


Interface Atm, inbound IP access list in outbound IP access list out 


protocol in-address:port out-address:port in/out timeout 


TCP 52.0.0.4:1031->52.0.0.3:telnet 34/44 96 

ICMP 52.0.0.4:26952->52.0.0.3:echo 5/5 30 

TCP 20.15 2.11 ste lnet<—52 502023524290 52/70 20744 
TCP 52.0.0.4:1030->192.178.10.43:telnet 50/56 60 


To delete all sessions from a specified interface, use the following command in global mode: 


CLI> clear ip inspect session <interface> <unit> 


For example: 


CLI> clear ip inspect session atm 0.1 


Use the following command to display ACL per-host configuration: 
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CLI> show ip inspect config per-host 
ip per-host inspection is enabled 
per-host maximum opened sessions 50 


Use the following show command to display the list of current ACL per host sessions. 


CLI> show ip inspect per-host 


address sessions/failed half-sessions/failed 
20... 141,26 1/0 0/0 

192, 168425133170 0/0 

192,168.2.250 170 0/0 

1:92 2168.2 .8 170 0/0 

192.168.2 11 1/0 1/0 


To reset the statistics per-host, disable the per-host inspection command and re-enable it. 
Use the following command to display active stateful inspection sessions: 
CLI> show inspect sessions 


TCP in-address:port out-address:port timeout state 


Use the following command to display stateful inspection statistics: 


CLI> show inspect statistics 
STATEFUL statistics 

Active sessions 0 

Closed sessions 0 

Failed sessions 0 

Permitted 0 

Dropped 0 


For logging ACL messages into a file, use the following command in global mode, in combination with the 
log keyword for the configured filters: 


CLI> event filter add ip ACL ALL LOG 


To cancel logging into a file, use the following command in global mode: 


CLI> event filter remove <index> 





5.5 ACL DEBUG AND TRACE (IPV4) 


To enable debugging of IP access-lists, use the following command in global mode: 


CLI> debug ip access-list 


To disable debugging of IP access-lists, use the no form of the above-referenced command. 


To enable debugging of stateful inspection, use the following command in global mode: 


CLI> debug ip inspect stateful 


To disable debugging of stateful inspection, use the no form of the above-referenced command. 
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6 IP ACCOUNTING 





6.1 IP ACCOUNTING FEATURES 


6.1.1 Per flow Accounting 


Accounting permits a user to record easily flows transiting through an interface. Traffic is sorted out by 
source and destination addresses in each direction. User can select to account traffic on both directions of 
an interface or only outgoing traffic. 


6.1.2 Accounting list Selection 
Accounting can be restricted to a pool of specific addresses, thus selecting only interesting traffic. 
6.1.3 Accounting Violations 


Used in conjunction with an access-list attached to the same interface, the IP accounting function counts 
flows denied by the access-list. Accounting violations are automatically available once accounting is 
enabled and packets are dropped by the access-list attached to the interface. 


6.1.4 Per Precedence Accounting 


Instead of sorting out packets by their IP addresses, the accounting function can record packets per 
precedence value. This feature can help in troubleshooting IP QoS configuration. 


6.1.5 Accounting Threshold 


To avoid memory starvation, an accounting threshold that sets the maximum number of accounted flows is 
configurable. 
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6.2 IP ACCOUNTING CONFIGURATION 


6.2.1 Per Flow Accounting 


To apply accounting to an interface, use the following command in interface configuration mode: 


CLI (config-if)> ip accounting 


To apply accounting only to output packets, use the following command in interface configuration mode: 


CLI(config-if)> ip accounting output-—packets 


To restore the configuration mode and disable ip accounting, use the no form of the above command: 


CLI (config-if)> no ip accounting 
6.2.2 Per Flow Accounting 


To restrict accounting to a pool of addresses, first configure an access-list and use the following command 
in configuration mode: 


CLI(configure)> ip accounting-list <acl-name> 
To restore the default behavior and account packets independently from their source and/or destination 
address, use the following command in interface configuration mode: 


CLI (config-if)> no ip accounting-list 
6.2.3 Accounting Threshold 


To configure accounting threshold (i.e. the maximum of recorder flows), use the following command in 
configuration mode: 


CLI (configure)> ip accounting-threshold <100-10000> 


To restore the default threshold (2000 sessions) use the no form of the above command in configuration 
mode: 


CLI (config-if)> no ip accounting-threshold 
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6.3 IP ACCOUNTING STATISTICS 


Use the following show command to display the list of accounting flows. 


CLI> show ip accounting fastethernet 0/0 
Source Destination Packets Bytes 
20.1.1.44 LOZ EOC aaa 336 174222 


Use the following show command to display accounting result by precedence. 


CLI> show ip accounting precedence 


Use the following show command to display the list of accounting flows. 


CLI> show ip accounting access-violations 
Source Destination Packets Bytes ACL 
20.515 eg AA LOZ. 166.206 336 WAZ 2 LOZ 


To reset all accounted flow, use the following clear command in global mode. This command clears 
counters, and associated flows: 


CLI> clear ip accounting 





6.4 IP ACCOUNTING DEBUG 


A debug command permits having real-time information on accounted flows: 


CLI> debug ip accounting 
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7 NETWORK ADDRESS TRANSLATOR (NAT) 


This section describes the main features of the Network Address Translator and its configuration. 





7.1 NAT FEATURES 


The following terms are used throughout this section: 
7.1.1 Inside Local Address 


This address is the private address, also the real address of an inside host. IETF reserved 10.0.0.0/8, 
172.16.0.0/12 and 192.168.0.0/16 as private address space. However for historical reasons, the address 
space of a private network may not fall in the ranges noted above. 


Tal<g2 Inside Global Address 

This address is the globally routable address that is temporarily or permanently assigned to an inside host. 
7.1.3 Outside Global Address 

This address Is the real address of an outside host, which is globally routable. 
7.1.4 Outside Local Address 


This address is the local address assigned to an outside host in case of address conflict (or overlapping). 
Outside local addresses are only routable in the private domain. 


T2145 Dynamic Address Translation (Dynamic NAT) 


NAT translates the IP source address of outbound traffic from an inside local address to an inside global 
address, and vice-versa for inbound traffic. The inside global address is picked from the inside global 
address pool (which is configured by the user) when the inside host initiates a session to an outside host. 
When the session is finished, the inside global address is freed and returned to the inside global 
addresses pool. Dynamic NAT is generally unidirectional. However, once dynamic 1-to-1 mapping is 
established at the NAT device, sessions initiated from an outside host to the inside host can be accepted 
according to a configurable parameter, (for example, under the condition that a session between them 
already exists) as it is generally initiated by the inside host. 


7.1.6 Static Address Translation (Static NAT) 


Static NAT translates the IP source address of outbound traffic from an inside local address to the same 
inside global address and vice-versa for inbound traffic whenever static mapping exists in a user 
configured address mapping table. The mapped inside global address will be automatically excluded from 
the inside global address pool if it is contained in the latter. Static NAT is implicitly bi-directional, meaning 
that sessions can be initiated from inside hosts as well as outside hosts. 
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Dynamic Address/Port Translation (Dynamic NAPT) 


Dynamic NAPT translates the IP source address and port of outbound traffic from an inside local address 
and port pair to an inside global address and port pair, and vice-versa for inbound traffic. One inside global 
address is generally sufficient for all dynamic address/port translations. Dynamic NAPT, also known as 
address overloading, is always unidirectional (Sessions can only be initiated from inside hosts). Dynamic 
NAPT is only applicable to TCP, UDP and ICMP traffic. 


If both NAT and NAPT are configured, an automatic switch between NAT and NAPT is provided. When 
more than one address are available from the inside global address pool, only address translation (NAT) is 
applied. This is desirable since address translation is less restrictive, faster, and makes it less difficult to 
trace end hosts. However, as the number of global addresses is generally less than the number of inside 
hosts, it is very likely that the global address pool will be exhausted. In that case, it is desirable to continue 
allowing inside hosts to communicate with the outside world. If NAPT is enabled, the last global address 
available is reserved for NAPT. It will become effective only when global addresses are exhausted. At a 
later time, if global addresses become available again, the implementation will switch automatically to 
NAT. 


Static Address/Port Translation (Static NAPT) 


Static NAPT translates the IP source address and port of the outbound traffic from an inside local address 
and port pair to the same inside global address and port pair. The reverse applies to inbound traffic 
whenever static mapping exists in a user-configured address/port mapping table. Static NAPT is implicitly 
bi-directional, meaning sessions can be initiated from inside hosts as well as outside hosts. Static NAPT is 
only applicable to TCP/UDP traffic. If static address/port mapping uses the same inside global address as 
used in a static address mapping, the static address/port mapping will be applied with higher priority. 


Similar to static NAT, static NAPT is often used for servers on the private network, which should be 
accessible from the outside world. 


Static NAPT Translation on a Port Range 


A single command enables the translation of a range of inside local ports into a new range of inside global 
ports. As it is based on static mapping, the translation applies also to inbound traffic. As a consequence, 
NAT port range is bidirectional, meaning that sessions can be initiated from inside hosts as well as outside 
hosts. 


NAT port range is only applicable to TCP/UDP traffic. If NAT port range uses the same inside global 
address as used in a static address mapping, the static address/port mapping will be applied with higher 
priority. 


Similar to static NAT, NAT port range is often used for servers on the private network, which should be 
accessible from the outside world. 


7.1.10 Outside Address Translation 


This mechanism translates the IP destination address of outbound traffic from an outside local address to 
an outside global address and vice-versa for inbound traffic. This translation is necessary only if the 
outside global addresses overlap with the inside local address space. After all sessions between the 
outside host and the inside network are completed, the outside local address will be freed and returned to 
the outside local address pool. This mechanism generally works together with DNS ALG. 


11 TCP/UDP Load Balancing 


Inbound TCP/UDP sessions destined to an inside global address and port can be dispatched to a number 
of inside hosts (servers). The maximum number of inside servers is limited to 8. In order to ensure that the 
traffic from a given outside host is always handled by the same inside server, the selection of the inside 
server is based on the outside host address. This is necessary for some applications. 


.12 DNS Interaction 


Upon outgoing DNS queries for domain name to address resolution, the device intercepts DNS reply 
packets, to check whether the outside global address overlaps with the inside local address space. If the 
device finds an overlap, the outside global address is translated to an outside local address by creating a 
dynamic mapping. 
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Upon outgoing DNS queries for address to domain name resolution, the device intercepts DNS request 
packets to check whether any outside local address is present. When an outside local address is detected, 
the device translates the outside local address to an outside global address, when corresponding dynamic 
mapping exists (there is no translation when the mapping does not exist). 


Upon incoming DNS queries for domain name to address resolution, the device intercepts DNS reply 
packets to check whether any inside local address is present. When this is the case, the device translates 
the inside local address to an inside global address, by using either a static mapping or creating a dynamic 
mapping. 


Upon incoming DNS queries for address to domain name resolution, the device intercepts DNS request 
packets, checking whether the inside global address is mapped to an inside local address. When this is the 
case, the device translates the inside global address to an inside global address by using either existing 
static or dynamic mapping. 


7.1.13 Application Level Gateway (ALG) 


When an address and/or port are translated, the application data (payload) must be translated for 
protocols that contain an IP address and/or transport port in their messages. This is known as an 
Application-Level Gateway (ALG). At present, the following ALGs are supported: DNS, FTP, ICMP, NBT 
(NetBIOS over TCP/IP), ntalk (UNIX talk command), H.323, and SIP (Note: SIP ALG is not activated by 
default). For other protocols, TELNET, HTTP, TF TP, SMTP, and NFS (which do not contain an IP address 
and transport port in the application payload), no particular ALG is required. 


7.1.14 Session Limitation and Denial-of-Service Protection 


Only dynamic NAT is concerned by this paragraph. 


The maximum number of permitted NAT sessions can be configured. When this limit is reached no more 
sessions can be created. When the default threshold of 90% of total sessions is reached an alarm is sent 
periodically. When the maximum number of sessions is reached an alarm is also sent periodically. 


Such limitation avoids complete memory exhaustion when some hackers try to create many fake sessions 
in the router. However, this limit has the drawback that it can block the router for a transient phase until 
some session contexts are freed (after some timeouts have elapsed). 


In order to mitigate such issue, the maximum number of per-host NAT sessions can be configured. When 
this limit is reached no more sessions can be created by this host. When the maximum number of sessions 
is reached for a specific host an alarm is sent periodically. The limit will block an attack originated by a 
given host while letting other hosts creating NAT sessions. The router is then no more blocked in case of 
such attack. 


The default limit per host may not be suitable for all hosts. For example, a web server may be entitled to 
create many sessions while normal LAN workstations should only consume few NAT sessions. The 
maximum number of permitted NAT sessions can be configured for a specific host. 


.15 IPsec and NAT 


If you activate NAT overload on the WAN interface and an |Psec flow should go through to the router, two 
cases must be considered: 


e IPsec client on the LAN (private IP), IPsec gateway reached via a public IP address: nothing to 
configure, it functions de-facto. 


e IPsec client reached via a public IP, IPsec gateway on the LAN (private IP): the client cannot reach 
directly the gateway. IPsec must be NATed. In order to let [IPsec go through NAT, you must configure 
static UDP translation for the port 500 (IKE) and 5000 (IPsec tunnel encapsulated in UDP because of 
NAT traversal). 


In both cases, the client and the gateway must support NAT-traversal (RFC 3947). See section "NAT 
Traversal" in "IP Security" chapter of "OneOS — Advanced IP User Guide" document for more details. 


Think to use the bypass list to avoid the traffic inside the IPsec tunnel being dropped by NAT. See section 
7.2.9 "Bypass inside Addresses" for more details. 


Basic IP User guide Page 7.1-67 of 150 


ONEOS V4.3R4 / V5.1R3 BASIC IP USER GUIDE (EDITION 10) 


7.1.16 Reflexive Access Lists and NAT 


If you activate NAT overload on the WAN interface and a reflexive access list is applied to this interface, it 
will not work. The temporary filter in the reverse direction is set up before NAT with the inside local 
address; the subsequent session message use, because of NAT, the inside global address and therefore 
cannot pass through the device. 


Depending on the cases, the solution can be to use static NAT for the LAN traffic or to use local access 
lists that apply only to the local traffic that is destined to or generated by the router. See section 5 "|Pv4 
Access Lists" for more details. 


7.1.17 Easy VPN and NAT 


If you activate NAT overload on the WAN interface and an Easy VPN is applied to this interface, think to 
use the bypass list to avoid the traffic inside the Easy VPN being dropped by NAT. See section 7.2.9 
"Bypass inside Addresses" for more details. 
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NAT CONFIGURATION COMMANDS 


Most NAT configuration parameters are interface-specific, (i.e., the user should configure the parameters 
at the public network interface). If required, the user can also apply NAT to multiple interfaces as in the 
case of a multi-homed network. 


Note: as of V4.3R2E2 software release, the existence of multiple VRF in router configuration is transparent 
to NAT. Nevertheless the NAT parameters (such as logging, limits and timers) are globally defined and 
apply to all VRF. 


Inside Address Translation Order 


The user can configure all or any combination of the translation modes described above at the same time. 
If multiple translation modes are configured, they are applied to the outgoing sessions in the following 
order: 


1. Static address/port translation 
Static address translation 
Dynamic address translation - if the packet matches the user list of an inside address pool 


Dynamic address/port translation - if the packet matches the user list of an inside address pool 


od oe 


Dynamic address/port translation using the interface address - if the packet matches the user 
list or if the user list is not specified. 


In the case where inside global address is the only interface address, only translation modes 5 and 1 can 
be applied. Any outgoing sessions not eligible for the above-referenced translation are rejected once NAT 
is configured on an interface. 


For inbound sessions, the translation modes are applied in the following order: 
1. Static address/port translation 
2. Static address translation 
3. Dynamic address translation - if the destination address is allocated to an inside host 


Any inbound sessions not eligible for the above-referenced translation are rejected once NAT is configured 
on an interface. 


Dynamic NAT/NAPT 


To configure dynamic inside address translation, an inside global address pool (inside pool) should be 
configured. To do so, an access list should be created first to identify the user of the pool, i.e., the packets 
matching that access list will be translated using this pool. The access list could be a standard or extended 
access list. For example, an access list including all inside hosts can be set as follows: 


CLI (configure)> ip access-list standard <acl-name: 1-150 char> 
CLI (ip-acl-std)> permit any 
CLI (ip-acl-std)> exit 


To set an inside pool, use the following command: 


CLI(configure)> interface <type> <unit> 
CLI(config-if)> ip nat inside pool <name> <start-address> <end-address> 
user-list <acl-name> [overload] 


The addresses contained in the range of starting and ending addresses are added to the named pool. To 
protect against possible configuration errors, the maximum number of addresses, which can be put into a 
pool is limited to 65535. If the outgoing interface address and any statically mapped addresses are 
contained in the given global address space, they are automatically excluded from the inside pool. The 
name of access list to use must be entered after the keyword user-list. The keyword overload, if present, 
enables address overloading (NAPT) for this pool. 
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To remove the inside pool, use the command: 


CLI(config-if)> no ip nat inside pool <name> 


If the pool is in use, this command will fail. In this case, the user should first clear the NAT session table by 
using the command: 


CLI> clear ip nat sessions 


It is preferable to shutdown the NAT interface if traffic is present. Doing so will prevent erratic packets from 
being sent to the local terminals. Assuming that an inside pool is configured; the first time an inside host 
sends a packet to the public network, a global address will be taken from the pool and assigned to that 
host (if it belongs to the user list). The mapping between the inside local address and the inside global 
address is stored and maintained in a table. Whenever dynamic address mapping exists, it is possible for 
outside hosts to initiate sessions with the inside host (using the corresponding inside global address). To 
allow inbound sessions to dynamically assign global addresses, use the following command: 


CLI (config-if)> ip nat two-way [restricted] 
By default, inbound sessions to dynamically allocated global addresses are not allowed. If the keyword 
restricted is present in the above-referenced command, only the outside hosts already in contact with the 


corresponding inside host are allowed to initiate sessions. To deny any inbound sessions to a dynamically 
allocated inside global address, use the command: 


CLI(config-if)> no ip nat two-way 
T22k3 Dynamic NAPT on the Interface Address 


To overload the interface address, apply address and port translation using the following command: 
CLI (configure)> interface <type> <unit> 


CLI(config-if)> ip nat inside overload [user-list <acl-name>] 


The user access list is optional. If the user access list is present, only the packets matching the access list 
are translated. Packets not matching the access list are dropped. If the user-list is not specified, all packets 
are translated using the interface address. 


To carry out interface address overloading, there is no need to specify the global address that will be used. 
It is taken from the interface at the time of translation. This allows NAT to work together with any dynamic 
address allocation protocol, such as BOOTP, DHCP or IPCP. 


To preserve some ports from being used by dynamic NAPT, use the following commands as many times 
as needed: 


CLI(config-if)> [no] ip nat reserve-port <local-port-number> {tcp | udp } 
CLI(config-if)> [no] ip nat reserve-port range <start> <end> {tcp | udp } 
To disable interface address overloading, use the command: 


CLI (config-if)> no ip nat inside overload 
7.2.4 Static NAT 


To carry out static address translation, use the following command to create static address mapping: 


CLI(configure)> interface <type> <unit> 
CLI (config-if)> ip nat static <inside-local> { <inside-global> | self } 
[<range>] 


The keyword self means the address of the interface. It is useful when the interface address is assigned 
dynamically, using IPCP for example. 


The optional parameter range (1-65535) allows the static translation of the range of addresses from 
inside-local tO inside-local + range (i.e. "range+1" addresses). 


To remove an existing static address translation, use the no form of the command: 


CLI (config-if)> no ip nat static <inside-local> {<inside-global> | self} 
[<range>] 
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14245 Static NAPT 


To carry out static NAPT, use the following command to create a static address/port mapping: 


CLI(configure)> interface <type> <unit> 
CLI (config-if)> ip nat static-napt {tcp | udp} <inside-local-address> 
<inside-local-port> {<inside-global-address> | self} <inside-global-port> 


The keyword self means the address of the interface. It is useful when the interface address is assigned 
dynamically, using IPCP for example. 


In the case of TCP, a user access list can be applied. If the user access list is present, only the packets 
matching the access list are translated. Packets not matching the access list are dropped. If the user-list is 
not specified, all packets are translated. 


CLI (configure)> interface <type> <unit> 
CLI(config-if)> ip nat static-napt tcp <local-address> <local-port> 
{<global-address> | self} <global-port> [user-list <acl-name>] 


To remove an existing static address/port translation, use the command: 


CLI (config-if)> no ip nat static-napt {tcp | udp} <inside-local-address> 
<inside-local-port> {<inside-global-address> | self} <inside-global-port> 


7.2.6 Static NAPT ona Port Range 


To carry out static NAPT, use the following command to create a static address/port mapping: 


CLI(configure)> interface <type> <unit> 

CLI (config-if)> ip nat static-napt port-range { tcp | udp } 
<inside-local-address> <inside-local-port-min> <inside-local-port-max> 
{ <inside-global-address> | self } 

<inside-global-port-min> <inside-global-port-max> 


The keyword self means the address of the interface. It is useful when the interface address is assigned 
dynamically, using IPCP for example. 


To remove an existing static address/port translation, use the command: 


CLI(config-if)> no ip nat static-napt port-range { tcp | udp } 
<inside-local-address> <inside-local-port-min> <inside-local-port-max> 
{ <inside-global-address> | self } 

<inside-global-port-min> <inside-global-port-max> 


aw Static NAT on IP Protocol 


To carry out static NAT on the IP protocol, use the following command to create a static address/port 
mapping: 


CLI(configure)> interface <type> <unit> 
CLI(config-if)> [no] ip nat static-ip <protocol> <inside-local-address> 
{ <inside-global-address> | self } 


protocol Is the IP protocol or the protocol name (see show ip protocol-map). The keyword self 
means the address of the interface. It is useful when the interface address is assigned dynamically, using 
IPCP for example. Example to allow PPTP: 


ip nat static-napt tcp 192.168.1.223 1723 20.1.1.1 1723 
ip nat static-ip 47 192.168.1.223 20.1.1.1 


7.2.8 Overlapping Outside Address Translation 


If the address space of the private network does not fall into the ranges reserved by IETF (RFC 1918), it is 
possible that inside local address will overlap with outside global addresses. If this is the case, outside 
address translation is required. To do so, a standard access list should be configured to indicate the 
overlapping outside global addresses. For example, the following command can be used: 


CLI(configure)> ip access-list standard <acl-name: 1-150> 
CLI (ip-acl-std)> permit <ip-address> <wildcard> 
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CLI (ip-acl-std)> exit 


Then, the following command can be used to configure the outside local address pool (outside pool): 


CLI (configure)> interface <type> <unit> 
CLI (config-if)> ip nat outside pool <name> <start-address> <end-address> 
user-list <acl-—name> 


It is important to note that for inside hosts, a route entry should be added for routing the given outside local 
address/mask to the NAT device. If a default route through the NAT device already exists, a route entry is 
not needed. 


To remove the outside address pool, use the command: 


CLI (config-if)> no ip nat outside pool <name> 


If the pool is in use, this command will fail. In this case, the user should first clear the NAT session table by 
using the command: 


CLI> clear ip nat sessions 
7.2.9 Bypass inside Addresses 


NAT provides some kind of access control. Simply speaking, inbound packets are dropped if they are not 
destined to statically map global addresses/ports. Outbound packets are dropped if they do not match any 
user list of the inside pools and if they do not have a static address and/or port mapping. To prevent NAT 
from dropping such packets, the bypass list should be used. 


To indicate the inside addresses that should not be translated, use the following command: 
CLI (configure)> interface <type> <unit> 
CLI (config-if)> ip nat inside bypass-list <acl-name> 
Only one bypass list can be configured. However the bypass list can contain more than one filter. 


At the outgoing interface, a packet matching the bypass list is forwarded unchanged (and vice-versa for 
packets received from the outside network). Therefore, the bypass list applies to both directions. 


To remove the bypass list, use the command: 


CLI(config-if)> no ip nat inside bypass-list 
7.2.10 Load Balancing 


A pair of inside global address/port can be mapped to several inside local address/port pairs. By entering 
the following command with the same global address and port, the device can dispatch traffic to a set of 
local servers. 


CLI(configure)> interface <type> <unit> 
CLI(config-if)> ip nat static-napt tcp <local-address> <local-port> 
<global-address> <global-port> 


The following example shows how the traffic routed to one virtual FTP server (20.1.1.10) is dispatched to 
two inside FTP servers: 


ip nat static-napt tcp 10.1.1.10 21 20.1.1.10 21 
ip nat static-napt tcp 10.1.1.11 21 20.1.1.10 21 


7.2.11 Changing the Timer Values 


A number of timers are used by NAT to control the end of sessions and address allocations. The user can 
change the default timer values if required. All timers are expressed in seconds. To set the DNS timer, use 
the following command in global configuration mode: 


CLI (configure)> ip nat translation dns-timeout <seconds> 
The default value is 90 seconds. This timer is used to hold address mappings created by DNS ALG. For 
example, an inside global address could be allocated to an inside host by DNS ALG when translating an 


outgoing DNS reply message. The inside global address will be freed if a data session has not been 
initiated with that address for this timeout period. 
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To set the TCP session close wait timer, use the following command in global configuration mode: 
CLI (configure)> ip nat translation finrst-timeout <seconds> 
The default value is 120 seconds. When a TCP packet with FIN or RST bit set is received, the session will 


be removed from the session table only after the timer expires. This action is necessary for both sides to 
properly close the TCP session. 


To set the ICMP idle timer, use the following command in global configuration mode: 
CLI(configure)> ip nat translation icmp-timeout <seconds> 
The default value is 30 seconds. This timer is used to remove an ICMP session when it is idle for the 
specified period. 
To set the TCP idle timer, use the following command in global configuration mode: 
CLI(configure)> ip nat translation tcp-timeout <seconds> 
The default value is 1800 seconds. This timer is used to remove a TCP session when it is idle for the 
specified period. 
To set a TCP idle timer for a specific TCP port, use the following command in global configuration mode 


CLI(configure)> ip nat translation port-timeout tcp <port nb> <seconds> 


To set the UDP idle timer, use the following command in global configuration mode: 
CLI(configure)> ip nat translation udp-timeout <seconds> 
The default value is 120 seconds. This timer is used to remove a UDP session when it is idle for the 
specified period. 
To set a UDP idle timer for a specific UDP port, use the following command in global configuration mode 


CLI(configure)> ip nat translation port-timeout udp <port nb> <seconds> 


To set the idle timer for all other protocols, use the following command in global configuration mode: 


CLI(configure)> ip nat translation others-timeout <seconds> 


The default value is 60 seconds. 


To return to the default values, use the ‘default’ form of the above-referenced commands. 
7.2.12 Changing the Maximum Number of Sessions 


To set the maximum number of sessions, use the following command in global configuration mode: 
CLI (configure)> ip nat translation max-sessions <100-100000> 
The default value depends on the product (check the command: show ip nat timers). If the number 


of current active sessions reaches the maximum number of sessions, new sessions will be rejected. This is 
often useful to limit the maximum amount of memory used by NAT. 


To return to the default value, use the command: 


CLI(configure)> default ip nat translation max-sessions 
7.2.13 Per-Host Sessions Limitation 


To activate per-host inspection (session limiting per host), use the following command in configuration 
mode (max-sessions must be provided in case another value than default —50- is used): 


CLI(configure)> ip nat per-host [max-sessions <5-100000>] 


To disable per-host inspection, use the no form of the above command: 


CLI(configure)> no ip nat per-—-host 


To restore the default number of maximum sessions, use the following configuration command line: 
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CLI (configure)> default ip nat per-host max-sessions 


7.2.14 Per-Host Address Sessions Limitation 


The per-host limit is a global limit applicable to all hosts. However, such threshold may fit well for LAN 
workstations, while being not adapted to large servers and proxies creating a large number of legal 
sessions. It is possible to specify a list of IP addresses and declare for each address the desired maximum 
authorized sessions. Note that the next command is only active if 'ip nat per-host [max- 
sessions <nbr>]' was previously entered. 


To configure the maximum authorized sessions for one specific IP address, use the following command 
line in configuration line: 


CLI(configure)> ip nat per-host address <A.B.C.D> max-sessions <5-100000> 


To disable per-host address configuration, use the no form of the above command: 


CLI(configure)> no ip nat per-host address <A.B.C.D> 
7.2.15 Activating SIP ALG 
To activate SIP ALG, which is not activated by default, use the following command in configuration mode. 


The default port (5060) is used when the port number is not provided. 


CLI (configure)> ip nat service sip udp [<port_number>] 


To deactivate SIP ALG, use the no form of the above command: 


CLI(configure)> no ip nat service sip udp 
7.2.16 Sending SNMP Traps for Outstanding Events 


Alarms are sent according to the following procedure: 
e When the maximum number of sessions is reached, an alarm is periodically sent every 16 seconds. 
e When the threshold is no more reached, then the alarm disappears. 


When 90% of all NAT session contexts are used, a trap can be sent (please load OneAccess NAT MIB on 
your SNMP management system). Another trap is sent, when the number of sessions becomes lower than 
this 90% threshold. To enable such trap, enter the following command in global configuration mode: 


CLI(configure)> [no] snmp traps nat 
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NAT CONFIGURATION EXAMPLES 


In the first example, the private network uses the private address space 192.168.2.0. In the private 
network, an HTTP server is running on the host 192.168.2.20, which should be accessible from the outside 
world. The only inside global address (52.0.0.4) is the interface address. As such, there is no inside 
address pool. NAT overload (NAPT) should be configured. NAT will take the interface address at the time 
the first packet is sent to the outside network. 


NAT can be configured using the following commands (assuming other interface parameters are properly 
configured): 




















HTTP server 
192.168.2.20 


52.0.0.4 




















Private Network 
192.168.2.0 


interface ethernet 0/0 
ip address 192.168.2.1 255.255.255.0 
exit 


interface atm 0.1 

ip nat inside overload 

ip nat static-napt tcp 192.168.2.20 80 52.0.0.4 80 
exit 


If you do a static translation on a port used by a router application (such as telnet server), the application 
will not be reachable any more: translation on TCP port 50 prevents the use of the embedded telnet 
server. 


In the second example, the network configuration is almost the same except that a number of inside global 
addresses (ranging from 213.1.2.10 to 213.1.2.20) are available. In this case, an inside global address is 
statically assigned to the HTTP server. The remaining addresses are put into the inside global address 
pool, called 'pi'. NAPT (overload) is enabled on the addresses from this pool. Outside hosts are allowed to 
initiate sessions with an inside global address if the corresponding inside local/global address mapping 
exists. The following is the configuration script: 


ip access-list standard ul 
permit 192.168.2.0 0.0.0.255 
exit 


interface atm 0.1 

ip nat inside pool pi 213.1.2.10 213.1.2.19 user-list ul overload 
ip nat two-way 

ip nat static 192.168.2.20 213.1.2.20 

exit 


In the third example, the use of user lists in NAT commands is demonstrated. Here the inside global 


addresses are divided into two pools used by two different user groups. Extended access lists are created 
to identify each user group. The inside (Source) addresses in the range of 192.168.2.0 to 192.168.2.127, to 
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the outside (destination) addresses in the range of 34.1.2.0 to 34.1.2.255, are of group 1 (u1) and will be 
translated using pool 1 (pil). The inside (source) addresses in the range of 192.168.2.127 to 
192.168.2.255 to the outside (destination) addresses in the range of 45.4.3.0 to 45.4.3.255, are of group 2 
(u2) and will be translated using pool 2 (pi2). The example above is configured using the following script. 


Ip access-list extended ul 
permit ip 192.168.2.0 0.0.0.127 34.1.2.0 0.0.0.255 
exit 


ip access-list extended u2 
permit ip 192.168.2.128 0.0.0.127 45.4.3.0 0.0.0.255 
exit 


interface atm 0.1 

ip nat inside pool pil 213.1.2.10 213.1.2.15 user-list ul 
ip nat inside pool pi2 213.1.2.16 213.1.2.19 user-list u2 
ip nat static 192.168.2.20 213.1.2.20 

exit 


The last example illustrates how to perform outside address translation. It is assumed that the inside local 
address space is now 20.1.1.0/24, which overlaps with the outside network. First, an access list is created 
to identify the conflicting addresses. Then, an outside local address pool is created for use if the outside 
global address falls into the range given in the access list. The configuration commands are given below: 


interface ethernet 0/0 
ip address 20.1.1.1 255.255.255.0 
exit 


ip access-list standard conflicts 
permit ip 20.1.1.0 0.0.0.255 
exit 


interface atm 0.1 

ip nat inside overload 

ip nat outside pool po 10.2.2.1 10.2.2.254 user-list conflicts 
exit 


A route for destination 10.2.2.0/24 via the NAT router should be set at end hosts. 





7.4 NAT STATISTICS 


Use the following command to display the NAT running configuration: 


CLI> show ip nat config 


Use the following command to display NAT global statistics: 


CLI> show ip nat statistics 

IN: 0 packets translated, O drops 

OUT: O packets translated, O drops 

Sessions: 0 active , 0 closed rejected due to memory full 
Address maps: O inside maps, 0 outside maps 


Use the following command to display NAT sessions: 


CLI> show ip nat sessions 
protocol in-local:port(global:port) out-global:port (local) in/out timeout 
FastEthernet 0/0 


icmp 1922168.2.7:22662(52.0.0.4)=520.1.1.44:echo 1/1 44 

icmp 192.168.2.7:22660 (52.0.0.4)->20.1.1.44:echo 1/1 44 

Lemp LOZ 68 2. 752265852 20.0.4) =>20.1.7.44-6echo: 1/1 44 

Lomp: 192.768 .2. 74226056: (52:..0:..0 .4) =>20..1.1,44<echo..1/144 

bop 192 .168:2..133234026 (5220.0.4) =s2021. 13445 8tp 10747-7200 

top. 192:.168:22 .1332 34029 (92..0:,.0474)-F20.1.1.44:ftp-data 11/3: 120 
t(5 


tep 192.168.2.133:telne 22020. 4) 4320.1 1 Aa sles: 320/291 7168 
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Note that the inside global port is missing if it is the same as inside local port and the outside local address 
will be missing when it is the same as the outside global address. Following address/port information, the 
number of outbound and that of inbound packets are given. For each NAT session, the last number of the 
text output indicates the number of seconds remaining for the session if it becomes idle. The arrow —> 


indicates that the inside host is the session initiator. Similarly, the arrow <- indicates that the outside host 
is the session initiator. 


Use the following commands to display NAT address mappings: 


CLI> show ip nat mappings inside 
Atm 0.1 

Pool Inside local Inside global Sessions 
pit, 192s 1 668602. 03- 2134-25 

Dis 192216022. 1921S eb 2 lors 


CLI> show ip nat mappings outside 
Pool Outside local Outside global Sessions 
po: 10.2224 20 293 2a LO: 2 

DOr WU. 22. LS LO She le 


To display the timer values in NAT, use the command: 


CLI> show ip nat timers 

TCP FIN wait timer 90 sec, DNS hold timer 90 sec 
TCP idle timer 7200 sec, UDP 3600 sec, ICMP 60 sec 
Idle timer for other protocols 600 sec 

Maximum number of sessions 1000 


To display information about NAT address pools, use the command: 


CLI> show ip nat pool 

Atm 0.1 (4) 

inside address pool pil (5/5/9): head 0 tail 5 
BVO Pia NOY ae eye bal! V2 Beek eee Ack opulence LS 
Z13 ¢ls2.14 

inside address pool pi2 (4/4/8): head 0 tail 4 
ZS eA edo: 2HSe le oelS 23a kat eo! eS 
bypass inside address 52.0.0.4/32 


Use the following show command to display the list of current NAT sessions per host: 


CLI> show ip nat per-host 


NAT sessions: 


address sessions failed max—-sessions 
192.166 510.250 17 2194 Lg, 
197 166.10 <5 a 0 10 


To reset the statistics per-host, disable the per-host inspection command and re-enable it. 
To reset the statistic counters, use the command: 


CLI> clear ip nat counters 


To clear the NAT session table, use the command: 


CLI> clear ip nat sessions 


Be aware that in doing so, the current stateful sessions, in particular those of TCP, will be terminated at 
end hosts. 
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125 NAT DEBUG AND TRACE 


To enable IP NAT debugging, use the following command in global mode: 


CLI> debug ip nat 


To disable IP NAT debugging, use the ‘no' form of the above-referenced command. 
Debugging for the per-host session limiting feature is enabled through the following command line: 


CLI> debug ip nat per-host 


To disable such debugging, use the no form of the above command: 


CLI> no debug ip nat per-host 


To display the current debugging modules, use the command: 
CLI> show debug 
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8 


QUALITY OF SERVICE 


This section describes the main features of Quality of Service and its configuration. 





8. 


8.1. 


1 


QOS FEATURES 


OneOS QoS implements the Differentiated Services (DiffServ) architecture, as defined by the IETF in RFC 
2475. For scalability, DiffServ offers QoS guarantees to traffic aggregates instead of individual flows. 
Packets are classified according to special criteria and marked to receive a particular per-hop forwarding 
behavior (PHB) on nodes along their path. Packets can generally be classified and marked once, typically 
at network boundary routers. Core (backbone) routers need not perform these heavy tasks. As a result 
they can handle a much higher volume of traffic. 


Services 


At present, two types of PHB are defined in addition to Default Forwarding (DF) (Best Effort service (BE)): 
Assured Forwarding (AF) and Expedited Forwarding (EF). Expedited Forwarding is specified to provide 
low loss, low latency, low jitter, assured bandwidth, end-to-end service similar to a virtual Leased Line. 
Assured Forwarding is used to offer Differentiated Services to different users or applications. Four classes 
of services have been defined in Assured Forwarding (AF1 to AF4). Within each class, an IP packet can 
be marked with one of three levels of drop precedence (Afx1 to Afx3). In addition to the standard PHBs, 
users can conveniently define private PHBs. The standard PHBs are shown in the following table. 


101110 Tokenbuers 


001010 
ree 001100 Token Bucket 
001110 
| 010010 
es 010100 Token Bucket 
010110 


100010 
100100 
100110 


eran Default (DF)} 000000 


Economic 
(AF 4) 


Token Bucket 


Remainder 





; 011010 

ronze 

(AF3) 011100 Token Bucket 
011110 
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8.1 


8.1.2.1 


8.1.2.2 


c2 


QoS Components 
In order to help understand and configure IP QoS, the main QoS components are briefly described here. 
Flow Classification 


In terms of QoS, the first processing applied to input traffic is generally classification. Multiple methods are 
provided for this purpose: 


e Access-lists (i.e., multi-field classifiers). Classification based on access lists can use the following 
fields in the TCP/IP header: IP source address and mask, IP destination address and mask, IP 
protocol field, a range of source port and a range of destination port for TCP/UDP traffic, as well as 
DSCP (Differentiated Services Code Point) value. 


e Simple traffic classifier using DSCP. 
e RIP traffic classifier that performs automatic recognition of RTP flows. 
e Interface traffic classifier. 


e Acclass (an aggregation of traffic flow) can be defined using any combination of the above classifiers. 
At runtime, packets are compared against the list of classifiers in configuration order. When a packet 
matches a classifier, it will receive additional processing associated with the corresponding class. 


e 802.1) priority tag, 802.1q VLAN tag. 
Traffic Conditioning 


In order to enforce QoS to ingress/egress traffic on a router, QoS policy needs first to be defined for each 
class of traffic. Between a service provider and a customer, QoS guarantees are often specified as part of 
SLA (Service Level Agreement) in terms of bandwidth share and burst. In other cases, QoS policy can be 
simply defined by system administrator according to end-user's and enterprise wide requirements. 


The component, which enforces the QoS policy defined for each class is called the Traffic Conditioning 
Block (TCB or traffic policer). Traffic is first passed to a Meter which measures the traffic rate and 
determines its conformance level regarding to the traffic specification derived from the SLA or QoS policy. 
The conforming traffic, called in-profile, can be marked with a nominal DSCP (Marker) and passed to the 
next processing block. Non-conforming traffic, called out-of-profile, are processed according to their 
conformance level, for example, dropped (Dropper) or transmitted after remarking (Remarker). 


Although there are many different ways to perform traffic conditioning, only several well-known 
mechanisms are prescribed by the IETF. Our implementation supports Single Rate Three Color Marker 
(srTCM) algorithm (RFC 2697) and Two Rate Three Color Marker (tr?CM) algorithm (RFC 2698). These 
two algorithms are somewhat similar. 


In srTCM, traffic conditioning is specified using three parameters: a Committed Information Rate (CIR), a 
Committed Burst Size (CBS), and an Excess Burst Size (EBS). Simply speaking, if traffic flow input to the 
Traffic Conditioning Block is under CIR and CBS, it is said conforming or green, and the conform-action 
will be applied. If traffic flow is under CIR, beyond CBS and under EBS, it is said exceeding or yellow, and 
the exceed-action will be applied. If traffic flow is beyond CIR, CBS and EBS, it is said violating or red, and 
the violate-action will be applied. 


In trTCM, traffic conditioning is specified by two token buckets: a Committed Information Rate (CIR) and its 
associated Committed Burst Size (CBS), a Peak Information Rate (PIR) and its associated Peak Burst 
Size (PBS). Simply speaking, if traffic flow input to the Traffic Conditioning Block is under CIR and CBS, it 
is said conforming or green, and the conform-action will be applied. If traffic flow is beyond CIR and CBS 
and under PIR and PBS, it is said exceeding or yellow, and the exceed-action will be applied. If traffic flow 
is beyond PIR and PBS, it is said violating or red, and the violate-action will be applied. 


Possible actions for conform-action, exceed-action and violate-action include, for example, to transmit, to 
drop, to set a new DSCP value, to set a new IP precedence, to set ATM CLP bit to 1, or any meaningful 
combination of the above. 


It could be noticed that in trTCM, if the PIR is set to a value equal to CIR, with PBS equivalent to EBS, 
trTCM gives the same result as sr1CM. From this point of view, srTCM can be considered as a special 
case of trICM. 
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QoS Processing Functions 


To be more flexible and to facilitate user configuration and deployment, the following methods are provided 
to configure the Traffic Conditioning Block: 


Using a single token (CIR, CBS). There are two levels of conformance at the output of a meter: 
conforming or exceeding. 


Using two tokens, (CIR, CBS) and (PIR, PBS), where PIR = CIR. Single-Rate Three-Color Marker 
(srTCM) algorithm is applied. There are three levels of conformance at the output of a meter: 
conforming or exceeding or violating. 


Using two tokens, (CIR, CBS) and (PIR, PBS), where PIR > CIR. Two-Rate Three-Color Marker 
(trTCM) algorithm is applied. There are three levels of conformance at the output of a meter: 
conforming or exceeding or violating. 


As mentioned above, in common sense, conforming traffic is meant as green, exceeding traffic as yellow, 
violating traffic as red. For each AF class, a different code (DSCP) is defined for each color. These codes 
can be marked in the DSCP field of IP header. 


As described in srTCM and trI!CM, the Traffic Conditioning Block can work either in color-blind mode or 
color-aware mode: 


In color-aware mode, it is assumed that some preceding entity has pre-colored incoming packet 
stream (using DSCP) so that each packet is green, yellow or red. Upon an incoming packet, the meter 
determines a new color regarding to its traffic conditioning parameters. The packet changes its color 
to the resulting new color only if the latter degrades the packet's original color. For example, if the 
original color is yellow, the packet remains yellow if the new color is green; it changes to red if the new 
color is red. 


In color-blind mode, the original color of incoming packets is ignored. The color decided by the meter 
will be considered as the color of the incoming packet. 


In a deployment scenario, color-blind mode can be usually used on edge routers, while color-aware mode 
can be used on core routers located inside a DiffServ domain. 


8.1.2.3 


Packet Marking 


After flow classification or/and traffic conditioning, packets can be marked in different ways: 


Packets are marked by setting IP precedence or IP DSCP in the IP TOS field. It allows to classify 
traffic with an IP precedence or DSCP in the IP header 


Packets are internally marked with a QoS-group. It allows applying QoS actions (later inside a router) 
without changing the packet header. 


Set the CLP bit to 1 in the ATM header. It allows to control discarding cells in congested ATM network. 
Cells with the CLP bit set to 1 are discarded before normal cells when congestion occurs. 


Set 802.1p tag. In the event, IP QoS is applied on dot11radio interface; the 802.1p value is mapped 
into a WMM CoS. 
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8.1.2.4 


Congestion Avoidance 


Tail Drop 


Tail drop is the simplest form of congestion avoidance. Packets are dropped when FIFO queues have 
reached a certain length. It does not take into account the different classes of service and drop all packets 
without distinguish them during congestion. 


Random Early Detection (RED) 


The RED mechanism provides an alternative to avoid global synchronization issues with TCP packets 
being dropped by a tail drop algorithm. It takes advantage of TCP traffic, which can control transmission 
rate. RED makes a permanent control of the average queue size and avoids congestion by randomly 
dropping packets before queue is full. Thus, TCP detects that some packets are dropped and reduces their 
traffic transmission rate. The advantage of randomly dropping packets is not to influence the same TCP 
session. TCP traffic is thus desynchronized the link is fully utilized. But it should be reminded that the RED 
technique is intended to control TCP traffic congestion; it is not designed for UDP traffic, which does not 
have flow control. That said TCP constitutes the most heavily used network transport. 


Average Queue Size 
The average queue size avg Is used to select the RED discard probability. 
It is based on the previous average and the current queue size: 


avg = previous_avg * (1 - 2%(-w)) + current_queue_size * 2% (-w) 


Where w is an exponential weighting factor configurable by the user. 


If 2* (-w) tends to 1, the average queue size Is close from the real time queue size, which means avg has 
possibly an unstable value. Thus, temporary bursts will result in unnecessary traffic drop. 


If 2* (-w) tends to zero, the average queue size is not sensitive to drastic swing in size. Thus, the average 
will move slowly and it will not drop many packets during temporary bursts. 


Packet Drop Probability 


In RED, the drop decision is made according to the estimated average queue length, the minimum 
threshold, the maximum threshold, and mark probability. When the average queue length is below the 
minimum threshold, packets will never be dropped. When the average queue length is above the 
maximum threshold, all packets will always be dropped. Between the minimum and maximum threshold, 
packets will be dropped with a probability calculated according to the following formula: 


Probability of drop = Pmark x (Qmean —- Tmin)/(Tmax —- Tmin) 
Where: 
e Pmark is the mark probability 
e Qmean is the sliding average queue size 
e Tmin is the minimum threshold 


e Tmax ix the maximum threshold 


Drop 
Probability 





Min Threshold Max Threshold Average 
queue length 
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WRED is based on RED mechanism, but it is designed for Differentiated Services. It provides drop priority 
levels. WRED drops packets selectively based on IP Precedence or DSCP. It can selectively discard lower 
priority traffic when congestion occurs and provides differentiated performance for different classes of 
service. 


Usually, WRED is used in core routers where packets are already marked by edge routers with "traffic 
conditioning" (see above). "Traffic conditioning" determines 3 priority levels for each class, by assigning a 
DSCP/precedence value. In fact, the DSCP/drop precedence values are often referred to as three colors 
(green, yellow and red) where green packets have the highest priority and red the lowest priority. WRED 
use these priorities to determine how to process different types of traffic. It provides separate thresholds 
for different IP DSCP or Precedence values. 


WRED functions as RED but with a color-dependent processing. Depending on the packet color a different 
threshold value is used to allow an increased drop probability for red packets rather than green ones. 


Drop 
Probability 


100% (|------------------------------------ 






Marae See eon Se ties saat ete etn ye ln I oie et Mark Prob. 


red yellow green — green, yellow, Average 
min min min red max . 
threshold threshold threshold __ threshold re ee 
WRED has the same advantage as RED in that it avoids global synchronization issues and allows the 
transmission line to be fully used by randomly dropping packets before the emission queue is full. The only 
difference is that it works with different thresholds associated with colors, which provides preferential traffic 
and differentiated services. 


8.1.2.5 | Queuing/Scheduling 


At an output interface, once a packet passes the Traffic Conditioning Block, it will be placed in the queue 
corresponding to its class (each class is mapped to a unique queue). Typically the output queues could be 
simply FIFO (first in, first out) queues. For a FIFO queue, packets are dropped when the queue is full 
(called Tail Drop). 
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In order to allow better bandwidth use and share among TCP flows, Random Early Detection (RED) and 
WRED could be also used instead of FIFO for better congestion avoidance. 


After packets are queued, the scheduler is invoked to select the queue from which the next packet will be 
transmitted. CBQ (Class Based Queuing) scheduler is available to meet the requirements of DiffServ-like 
services. In CBQ, if the guaranteed bandwidth for a class is not fully used, the remaining bandwidth can be 
used by other non-priority classes. 


If any priority traffic such as EF aggregate is not conforming to the allocated bandwidth, it is simply 
dropped. 


If any non-priority traffic such as AF aggregate is not conforming to the allocated bandwidth, there are two 
cases: 


1. If the link bandwidth is fully used, non-conforming traffic will be dropped. 


2. If a portion of link bandwidth is left unused, non-conforming and non-priority traffic can be 
transmitted and marked (or remarked) with higher drop precedence. 


Note: in OneOS implementation, each CBQ class has its own queue whose queuing mode is FIFO and 
default size is 50 packets. When RED or WRED is used, the default size becomes 60 packets. The default 
size can be changed using the queue-limit command. 


The following describes how the burst size is used by the CBQ scheduler to take into account the bursty 
aspect of the traffic. The burst size itself is not used in the scheduling algorithm, but its mirror element: 
maxidle.The mirror element maxidle is computed according to the Floyd/Jacobson model, based on: 


e The MTU of the interface, 
e The total bandwidth of the interface, 
e The bandwidth of the class. 


The mirror element maxidle represents the maximum value of the continuously moving average idle 
parameter: avgidle.The avgidle value is the moving average of the difference between the actual 
delay between two successive packets sent for the class and the theoretical delay. It is used to determine 
if a class is over limit (it exceeds its configured bandwidth) or not. A class is over limit if its avgidle 
becomes negative. 


Avgidle is evaluated just after sending each packet of the class. The actual delay is the machine time 
measured between the preceding sent packet and the current packet. The theoretical delay is the size of 
the packet divided by the bandwidth of the class. Avgidle works as a token bucket expressed in delay 
value. 


The burst of the class is the maximum amount of bytes that can be sent back-to-back at the interface 
speed before being declared as over limit. It is at its maximum when the class has been idle for a least 
maxidle time. The burst is not configurable for AF classes (medium priority), but for EF classes (high 
priority). When it is not configurable (AF class) or not configured (EF class), it is computed via maxidle as 
described above. 


8.1.2.5.1 CBWFQ 


CBWFQ (Class Based Weighted Fair Queuing) is an extended CBQ scheduler, which guarantees 
bandwidth share reserved for each class and also provides fair share of bandwidth for flows inside a same 
class. In our CBWFQ, flow-based WFQ is provided, which is particularly useful for flow-controlled protocols 
such as TCP. 


It is known that bandwidth share problems arise often when multiple TCP flows coexist or TCP and UDP 
flows coexist at the same time over the same link. In the worst case, the most aggressive flows will get all 
the bandwidth, and flow-controlled traffic will get no more bandwidth. This is mainly because a well- 
implemented TCP will lower sending rate (by reducing send window size, for example) when congestion is 
detected (packet loss). In practice, different TCP implementations generally do not have exactly the same 
flow control behavior. So they can get different bandwidth share over a specific link. 


With CBQ, all packets of the same class are put in the same queue. CBWFQ can be activated individually 
for each class or not. With CBWFQ, each flow inside a class is queued into a different queue. An equal 
weight inside the class is assigned to each flow, so that every flow gets a fair bandwidth share. Flows from 
different classes have implicitly different weights when the bandwidth assigned to the classes is different. A 
flow is distinguished using source and destination IP address, protocol, source and destination ports, TOS 
value. Then Weighted Round Robin (WRR) is used to schedule which queue is to be transmitted. With 
CBWFQ, bandwidth is fairly shared among all flows. An aggressive flow can no longer get more than an 
equal share of bandwidth. 
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Note: CBWFQ and RED/WRED are exclusive (queuing mode for CBWFQ can only be FIFO). With 
CBWFQ, the default queue size (50 packets) is the global limit for the collection of currently active flows 
(that can be changed using the queue-limit command). The default queue size for individual flows is 
10 packets (that can be changed using the fair-queue command). Individual flows queues are scheduled in 
round-robin mode inside the class. 


8.1.2.5.2 Transit Delay Control 


Flows that must be served with a real-time class require that the corresponding packets are classified in an 
EF class. However, when the uplink bandwidth is very small, the performance obtained with standard 
parameters might not be sufficient. Tuning transit delays is possible using several techniques. But the user 
should be aware that changing such default parameters can impact significantly the device routing 
performance. 


To understand how to tune transit delays, a glance at the scheduling algorithm is useful. The IP QoS 
scheduler functions as follows: 


N frames (default tx-ring: 32) 





Interface Driver Component 


CBQ Queues 


The interface driver has a transmit ring. The transmit ring (tx-—ring) is a sort of queue where ready-to- 
sent packets are leaved. The interface driver picks packets from the tx—ring at the interface speed. 


The scheduling steps are the following: 


1. The scheduler puts all packets from the EF queues in the tx—ring until the EF queues are 
empty 


2. The scheduler takes packets from the AF and BE classes according to their configured 
respective bandwidth. If one or more AF/BE classes do not use all their configured bandwidth, 
the remaining bandwidth is redistributed among all queues with remaining packets 


3. Ifthe tx-ring is full, the scheduler stops emitting and does not complete step 2. 
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4. When the tx-ring is empty or when a short QoS watchdog timer is expired, the scheduler 
wakes up again. 


5. The scheduler looks first if there are packets in EF queues (before completing the step 2 that 
was eventually not finished previously) 


6. The scheduler completes the step 2, if not finished previously. 


Note: this algorithm is valid for CB-WFQ and CBQ. CB-WFQ only has an influence in the order by which 
packets from an AF class go out of the CoS queue(s). 


Latency can thus be reduced by setting the number of frames stored in the tx-ring. (See: "tx-ring 
max-buffers <num-of-frames>" or "tx-ring max-latency" commands under interface 
configuration mode). The maximum latency resulting from queuing for a packet from the high priority class 
IS: 


Latency = ( MTU * tx-ring ) / line-speed 


To configure the tx-—ring under an ATM PVC, on any product except the ONE20/100, you configure the 
maximum number of frames in the tx-ring, which corresponds to the maximum latency: 


Cit 
Chi 
Chi 
Cio 


configure)> interface atm 0.<id> 

config-if)> pve { ipoa | pppoa | pppoeoa } vpi <vpi> vei <vci> 
pvc)> tx-ring max-buffers <nb-buffer> 

pvc)> execute 


a ~~ ~ 


On the ONE20/100, the tx-ring is considered full if a certain quantity of data is stored in the tx-ring. 
You only need then to configure the maximum latency: 


CEI 
Chi 
Chi 
Cid 


configure)> interface atm 0.<id> 

config-if)> pve { ipoa | pppoa | pppoeoa } vpi <vpi> vei <vci> 
pvc)> tx-ring max-latency <milliseconds> 

pvc)> execute 


a mC ~—O ~~ 


Reducing this number can make the QoS processing more pre-emptive (i.e. the scheduling algorithm is 
often interrupted), thereby resulting in degraded routing performance. 


For a casual application case (PPP over leased line, 512 kops, MTU = 1500 bytes, tx-ring = 6), the 
worst-case latency is 140 ms. To further reduce transit delays, the Link Fragmentation and Interleaving 
(LFI) is used. The interleaving consists of inserting the priority packets (packets from the EF queues) at the 
beginning of tx-—ring, namely after the second frame in the tx—ring or after the last priority packet if 
there are any in the tx-—ring. Therefore the worst-case latency is equivalent to the serialization time of 
two large frames, i.e. latency = 2 * frame-size / line-speed. While interleaving has a significant effect on 
low-speed links, it has a relative low impact on high-speed accesses. 


To improve further performance, the frame-size can be reduced using fragmentation (FRF.12 or MLPPP 
fragmentation). 


8.1.2.5.3. Shaping on an Interface supporting more than one VLAN 


If several VLAN are configured on an interface, a QoS policy can be applied under certain conditions. The 
QoS policy is applied on the physical interface (efm <x>, atm-aal5 <x>.<y> or fastEthernet 
<x>/<y>). As first step of QoS processing, every packet is put in a class of service. The classification 
criteria can be: 


e 802.1p tag 

e Input interface (so it could map to a 802.1q tag) 
e DiffServ class: DSCP, precedence 

e RTP port range 

e Any standard or extended access list 

e Virtual QoS group 


Then, for each class, one must assign a nested QoS policy to deal with shaping and policing. The nested 
QoS policy offers the same services as those offered for layer-3 QoS, namely: 


e Marking: 802.1p tag, DSCP, precedence, QoS group 
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e Policing: single-rate / two-rate traffic conditioning (re-marking / dropping) 
e DiffServ-compliant Class-Based Queuing 
e Congestion avoidance: RED/WRED, CB-WFQ 


The sum of all bandwidths configured within the nested QoS policies must not exceed the line rate. 
Unused bandwidth by certain classes can be re-used by other classes (of the same or of other nested 
policies according to the remaining bandwidth sharing parameters). 


If policy-maps for layer-3 services are nested in classes of a policy-map for layer-2 services, the sum of 
bandwidth inside a layer-3 class must be lower than the supporting VLAN CIR. The scheduler will serve 
the bandwidth of sub-policies first and will redistribute bandwidth inside each sub-policy up to VLAN CIR. If 
there is remaining bandwidth to share, VLAN priority is used. IP queues are served according to their 
weights if the VLAN EIR is served. 





8. 


8.2.1 


2 


QOS CONFIGURATION COMMANDS 


Configuration of IP QoS can be accomplished in four steps: 


1. Classification: to classify packets into a specific class by defining a class-map applied to either 
input or output interfaces. 


Policing: to limit the rate and burst for a specific traffic class. 


Marking: to set the DSCP field of the IP header to a specific value by defining a policy-map 
associated with either input or output interfaces. 


4. Scheduling: To guarantee the specified bandwidth for each class, with different priorities. 


The data path for QoS processing is as follows: 














input interface output interface 
inbound . outbound sits 
—> classification routing —+* classification ara a 
policing/marking policing/marking g 


























Classification 


To create a new class, use the class-map command: 

CLI (configure)> class-map [ match-all | match-any J] <name> 
This command will create the named class if it does not exist already. With this command one can specify 
the logical function to be used when multiple matching rules are configured. The default is to apply a 


logical "AND" (match-all) on all matching rules of the class. If one needs to apply a logical "OR" for 
contained rules instead, use the following command: 


CLI (configure)> class-map match-any <name> 
The order in which the matching rules are configured does not pertain to the matching result. In the 
implementation, the rules are checked in configuration order. 
The user can rename an existing class by using the following command: 

CLI (config-cmap)> rename <new-name> 


CLI (config-cmap)> exit 


The user can add rules or classifiers in a class-map by using the match commands (see below). To 
remove an existing rule from a class-map, use the 'no match' commands. Do not confuse them with the 
‘match not' command, which means the rule is negated. 


A class-map can be empty. Thus traffic will not be selected by an empty class-map. 
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8.2.1.1 | Classification Using Access Lists 


If packets are to be classified using the IP header fields, users can use access lists (see the IP Access 
Lists configuration guide for more information). To do so, one needs first to create an access-list and then 
give the name of the access-list in the class-map. A simple example is given as follows: 


CLI (configure)> ip access-list standard gos_acl 
CLI (ip-acl-std)> permit 1.2.3.4 
CLI (ip-acl-std)> exit 


Then, the corresponding match rule to add to the class c1 would be as follows: 


CLI (configure)> class-map cl 
CLI (config-cmap)> match access-group qgos_acl 
CLI (config-cmap)> exit 


To create a negative rule, (i.e., a packet matches if it doesn't match the filter), use the following form of the 
command: 


CLI (config-cmap)> match not access-group qos_acl 
8.2.1.2 Classifier Matching All Packets 


To select all packets passing through this class-map, using the following command: 


CLI (config-cmap)> match any 


To select null traffic (to temporarily disable a class-map for example), one can use the negative match 
command: 


CLI (config-cmap)> match not any 
8.2.1.3. Classifier Matching an Input Interface 


The user can set a class to include all packets coming from a specific interface: 


CLI (config-cmap)> match input-interface <type> <unit> 


Any packets coming from an interface are excluded: 


CLI (config-cmap)> match not input-interface <type> <unit> 
8.2.1.4 Classifier for RTP Traffic 


To select real time traffic such as voice and video, encoded in Real Time Protocol (RTP) format, an 
embedded RIP filter in the class-map can be used. Note that RTP runs on top of UDP. Use the following 
command: 


CLI (config-cmap)> match ip rtp <lower-port> <port-—range> 


The negative rule is: 


CLI (config-cmap)> match not ip rtp <lower-port> <port-—range> 
8.2.1.5 Classifier Matching a DSCP Field 


The user can set a class to match packets with some specific DSCP values: 


CLI (config-cmap)> match ip dscp <valuel> [<value2>] .. [<value8>] 


The negative rule is: 


CLI (config-cmap)> match not ip dscp <valuel> [<value2>] .. [<value8>] 
8.2.1.6 Classifier Matching an IP Precedence Value 


The user can set a class to match packets with specific IP precedence values in the TOS field: 
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CLI (config-cmap)> match ip precedence <valuel> [<value2>] .. [<value4>] 


The negative rule is: 


CLI (config-cmap)> match not ip precedence <value 1> [<value2>] 
[<value4>] 


8.2.1.7 Classifier Matching a Virtual QoS Group 


The Virtual QoS Group is used to internally mark a traffic flow, typically using a policy-map at input 
interface, (see below to configure a policy-map). At output interface, the user can use QoS Group to select 
packets marked at input interface: 


CLI (config-cmap)> match ip qos-group <group-value> 


The negative rule is: 


CLI (config-cmap)> match not ip qos-group <group-value> 


8.2.1.8 Classifier Matching 802.1p Tag 


If the QoS policy is applied on Ethernet interface input, we can classify packets based on their 802.1p tag 
as follows: 


CLI (configure)> class-map match-any vlan-prio 
CLI (config-cmap)> [no] match [not] cos <cosl> [<cos2> [<cos3> [<cos4>]]] 


The values of <cos> are integer numbers ranging from 0 to 7. 
8.2.1.9 Classifier Matching 802.1q Tag 


If the QoS policy is applied on Ethernet interface input, we can classify packets based on their 802.1q tag 
as follows: 


CLI (configure)> class-map vlanl01l 
CLI (config-cmap)> [no] match [not] vlan <vlan-idl> [<vlan-id2> 
[<vlan-id3> [<vlan-id4>]]] 


The <vlan-id> values are integer numbers ranging from 0 to 4096. 
8.2.1.10 Classifier Matching an other Class 


Combining logical "AND" and "OR" is not possible within a class-map. But it is possible by using several 
different class-maps and the "match ip class-map" command. This provides a simple method to 
create complex classifiers. An example is given below: 


CL 
Cilia 
Gist 
Chi 
CLI 
Chi 
Clit 
CLI 


configure)> class-map match-all c2 
config-cmap)> match input-interface Atm 0.1 
config-cmap)> match ip dscp 35 
config-cmap)> exit 

configure)> class-map match-any c3 
config-cmap)> match ip class-map c2 
config-cmap)> match ip rtp 1024 10000 
config-cmap)> exit 


ON NN O™~. 


The packet, which either meets all conditions of c2, or is an RTP packet whose port is between 1024 and 
11024, matches the class c3. 


The negative rule is: 


CLI (config-cmap)> match not ip class-map <class-name> 
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8.2.2 Policing, Marking, and Scheduling 


Policing, marking and scheduling are configured by using a policy-map. A policy-map contains a set of 
classes associated with QoS parameters that are necessary to perform a policy action such as marking or 
dropping. To create a policy-map, use the following command: 


CLI (configure) > policy-map <policy-name> 


The user can rename an existing policy-map by using the following command: 


CLI (config-pmap)> rename <new-policy-—name> 
CLI (config-pmap)> exit 


Then, as needed, the user adds to a policy map the classes created by using the class—map command: 


CLI (config-pmap)> class <class-—name> 


This command, if successful, will enter into policy class configuration mode. Then the user can configure 
policy parameters for that class. A policy-map is never empty: the default class called 'class-default' is 
automatically added to a policy-map. It matches any traffic, which does not match any user-defined class. 
The class-default always uses the remaining bandwidth, which must not be zero. As a result, the user can 
not configure the bandwidth parameter on the class-default. 


8.2.3 Traffic policing 


For each class in a policy-map, the user can optionally configure traffic policing. Traffic policing is enabled 
only if the CIR (Committed Information Rate) is configured to a value other than zero. 


To configure the Committed Information Rate (CIR) and optionally the Committed Burst Size (default CBS 
value 4500 bytes) for a class, use the following command in policy class configuration mode: 


CLI (cfg-pmap-c)> police {cir <cir> | cir-percent <percent>} [<cbs>] 


The CIR token (cir, cbs) is specified in Kbits per second (cir) and number of bytes (cbs). If cir Is set 
to zero, that disables traffic policing on that class. 


All other traffic policing parameters are optional. By default, the peak rate and burst are not set; the 
conform-action is set to transmit; the exceed-action set to drop; the violate-action set to drop; the color- 
aware mode is not enabled. 


To configure the Peak Information Rate (PIR) and optionally the Peak Burst Size (default PBS value 12500 
bytes) for a class, use the following command in policy class configuration mode: 


CLI (cfg-pmap-c)> police pir {<pir> | pir-percent <percent>} [<pbs>] 


The PIR token (pir, pbs) is specified in kbps (pir) and number of bytes (pbs). The parameter PIR must 
be greater than or equal to CIR. If it is strictly greater than CIR, traffic is conditioned in the same way as 
specified by tr'CM (RFC 2698). If it is equal to CIR, the burst PBS should be greater than CBS. In this 
case, traffic is conditioned in the same way as specified by srTCM (RFC 2697). 


To configure the conform-action for a class, use the following command in policy class configuration mode: 


CLI (cfg-pmap-c)> police conform-action { transmit | drop | 
set-dscp-transmit <dscp-value> | set-prec-transmit <prec-value> | 
set-group-transmit <qos-group> | set-—clp-transmit | 
set—de-transmit | set-cos-transmit <cos> } 


To configure the exceed-action for a class, use the following command in policy class configuration mode: 


CLI (cfg-pmap-c)> police exceed-action { transmit | drop | 
set-dscp-transmit <dscp-value> | set-prec-transmit <prec-value> | 
set-group-transmit <qos-group> | set-—clp-transmit | 
set—de-transmit | set-cos-transmit <cos> } 


To configure the violate-action for a class, use the following command in policy class configuration mode: 


CLI (cfg-pmap-c)> police violate-action { transmit | drop | 
set-dscp-transmit <dscp-value> | set-prec-transmit <prec-value> | 
set-group-transmit <qos-group> | set-—clp-transmit | 
set—de-transmit | set-cos-transmit <cos> } 
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The violate-action makes sense only if the PIR is configured. 
To enable the color-aware mode, use this: 


CLI (cfg-pmap-c)> police color-aware <green-dscp> 
[ <yellow-dscp> [ <red-dscp> ] J] 


For the classes AF1 to AF4, only green DSCP is required (yellow and red DSCP can be derived from the 
class). For any other class for which no standard codes are defined, all three DSCP values should be 
specified. 


To remove or disable a traffic policing parameter, use the 'no' form of the corresponding command. 


Traffic policing can be also applied to the class-default. A policy-map with traffic policing configured can be 
applied either to an input interface or an output interface, whichever is appropriate. 


8.2.4 Bandwidth Setting 


If a class is a non-priority class, reserve bandwidth required by the class using the following command: 


CLI (cfg-pmap-c)> bandwidth <kbps> 


Or, alternatively the bandwidth can be specified in percent, 


CLI (cfg-pmap-c)> bandwidth percent <1-99> 


If a class is a priority class, reserve the bandwidth required by the class using the following command. The 
burst parameter can optionally be forced in the command. If excess-allowed is used, the priority class will 
also take advantage of the remaining bandwidth distribution based on priority described in 8.2.5.2. 


CLI (cfg-pmap-c)> priority <kbps> [<burst-in-bytes>] [excess—allowed] 


Or, alternatively the bandwidth can be specified in percent: 


CLI(cfg-pmap-c)> priority percent <1-99> [<burst>] [excess-—allowed] 


Note: The OneOS implementation requires that 10 kbps are reserved for the default class. 


The priority class has fixed maximum guaranteed bandwidth (without excess—allowed). The normal 
priority class has minimum guaranteed bandwidth. The remaining bandwidth, after user configuration, is 
given to the default class. The unused bandwidth, at run time, is dynamically shared among all normal 
priority classes and the default class, and the priority classes with excess—allowed. 


The bandwidth for all user-defined classes can be specified in absolute value, or in percent, or using both 
(see latter this section for a configuration example). No matter which method is used, the following rules 
must be respected: 


1. The sum of all absolute bandwidth values must be strictly less than the total bandwidth of the 
interface on which the policy-map will be applied. 


2. Thesum of all bandwidth percentages must be strictly less than 100 percent. 


3. If both absolute values and percentages are used, both above-conditions must always be met. 
Classes with bandwidth in absolute value will have their bandwidth reserved, whereas the 
classes with bandwidth in percent will have their bandwidth computed as _ follows: 
(B—Sum(ABSi) ) xPk, where B is the interface bandwidth, ABSi is the absolute bandwidth for 
class i and Pk Is the percentage for class k. The result must be strictly greater than 0. 


When the above conditions are not met, attaching the policy-map to an output interface will fail. 


The reserved bandwidth per class is the data rate over the underlying data link. The IP QoS scheduler 
component estimates bandwidth usage for each class by adding extra bytes to every packet during 
shaping calculation. The extra bytes represent all lower layer headers, padding, as well as trailers, 
required by a specific network interface protocol. 


One could be surprised by the impact of layer-2 headers: a user flow could be sent at a rate much below 
the reserved rate, but packets are being lost. This is because of a large difference between the IP packet 
size and fixed ATM cell size. For example, an IP packet of 40 bytes (such as TCP ACK or UDP 
datagram’s) will be typically concatenated with a 8- byte lpoA header and a 8-byte AAL5 trailer, which 
makes 56 bytes overall. It will be sent using two ATM cells (48-bit payload + 5-bit ATM header). As a 
result, the IP input rate (assuming all packets are of the same length) will be multiplied by 106/40, i.e. more 
than doubled. In that case, even if user sends data at a rate much lower than the reserved rate, the ATM 
VC is already saturated and a portion of packets is dropped. Therefore if the data flow within a class is 
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composed of small sized packets, the bandwidth provisioning should take this effect into account. For large 
packets (longer than 1000 bytes), the impact of layer-2 overhead is generally not as much visible. 


8.2.5 Remaining Bandwidth Distribution Management 


Usually, all IP classes of service do not fully use their allocated bandwidth simultaneously. There are some 
classes receiving less traffic than the reserved bandwidth, thus allowing the other AF and default classes 
to get more bandwidth. The next paragraph explains how this remaining bandwidth is shared. 


When iterating, the IP QoS scheduler has an overall quantity of data to emit which corresponds to the 
interface bandwidth. During this iteration, the scheduler sends a quantity of data for each class in order to 
guaranty that each class gets at least their respective configured bandwidth. If the overall quantity of data 
to emit has not been fully used, the scheduler can emit additional data from AF and best-effort queues. 


The remaining bandwidth distribution is by default based on the weight of the classes (see 8.2.5.1). It can 
optionally be based on the excess rate priority of the classes (see 8.2.5.2). This excess rate priority 
mechanism can be used, for example, to manage the remaining bandwidth differently for two classes 
having the same weight (the same reserved bandwidth). 


8.2.5.1 Remaining Bandwidth Distribution based on weight 


The quantity of data taken from each queue depends on the weight of the class. 
By default, the weight of a class is equal to: 
Weight = ( class_bandwidth / ip_interface_bandwidth ) x 100 
The sum of all weights is equal to 100. This means a class gets a remaining bandwidth that is proportional 
to its bandwidth. 
To override the default weight, use the following command under class configuration in a policy-map: 


CLI (cfg-pmap-c)> remaining-bw-share <weight> 


<weight> can range from 1 to 99. 


The remaining bandwidth share is equal to the class weight divided by the sum of weights of 
classes having remaining bandwidth to emit. 


Let us take an example to make things clear; assume we have 4 classes: 

e One EF class, with a guaranty of 15% bandwidth uplink, real usage = 10% 

e AF1 class, with 40% of uplink bandwidth, fully used (>40%), weight = 40 

e AF2 class, with 30% of uplink bandwidth, real usage = 10%, weight = 30 

e Best effort class, (remaining reserved = 100—10—40-—30 = 20%), fully used (>20%), weight = 20 


In order to serve all classes with their guaranteed bandwidth, 80 % of the interface bandwidth is used 
(10+40+10+20). 20% of the interface bandwidth have to be redistributed between the class AF1 and BE. 
By applying the formula above, we find the following bandwidth sharing: 


Share (AF1) = weight (AF1) / ( weight (AF1) + weight (BE) ) = 66,7% 
Share (BE) = weight (BE) / ( weight (AF1) + weight (BE) ) = 33,3% 
To restore the default weights for remaining bandwidth sharing, use the following command: 


CLI (cfg-pmap-c)> default remaining—bw-share 
8.2.5.2 | Remaining Bandwidth Distribution based on priority 


This mechanism is automatically activated as soon as at least one class or sub-class of the policy is 
configured with the following command (0 is the lowest priority, 7 is the highest priority): 


CLI(cfg-pmap-c)> excess-rate-priority <0..7> 
The default priority is 0 (the lowest) for classes without excess rate priority including the main class level. 
At sub-class level (classes defined in a sub-policy referenced in the main policy applied to the interface), 


by default the sub-classes inherit the priority of their main class. This inherited priority can be overridden 
by configuring a different excess rate priority in the sub-classes. 
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The excess rate priority mechanism is deactivated, with return to the weight algorithm, as soon as the 
following command is entered for all the classes and sub-classes: 


CLI (cfg-pmap-c)> no excess-rate-priority 
When the excess rate priority mechanism is activated, all classes of the same priority are serviced before 


the classes of lower priority. Lower priority classes are serviced only if there remains unused bandwidth 
after the higher priority classes have been serviced. So it is a strict priority de-queuing. 


The EF (high-priority) classes are only concerned when excess-allowed is used otherwise they are strictly 
limited to their guaranteed bandwidth. AF classes (medium-priority) are concerned. As so the class- 
default class can also be attributed an excess-rate-priority. 


For classes of the same priority, the remaining bandwidth attribution is done using the weight algorithm 
(see 8.2.5.1). 


8.2.6 Flow Based CBWFQ 


For each class, the user can configure flow-based WFQ and optionally, specify the maximum number of 
dynamic queues to be reserved. To enable flow-based WFQ, use the following command: 


CLI (cfg-pmap-c)> fair-queue [<number-of-—dynamic—queues> 


[<dynamic—queue-length>] ] 


By default, the maximum number of dynamic queues Is set to 256. It must be equal to a power of 2 (to use 
some arithmetical properties of binary calculation) and ranges from 16 to 4096. The queue length is by 
default 10 and can range from 1 to 60. To avoid memory exhaustion, the total number of packets for a fair- 
queue class must be less than the queue-limit configured in the next section. 


To disable this feature, use the following command: 


CLI (cfg-pmap-c)> no fair-—queue 
8.2.7 Queue Size 


For each class, the user can set the queue size, i.e. the maximum number of packets that can be placed in 
the queue: 


CLI (cfg-pmap-c)> queue-limit <queue-size> 


To return to the default value, which is 50 (packets): 


CLI (cfg-pmap-c)> default queue-limit 
8.2.8 RED, WRED and ECN 


The user can also enable Random Early Detection (RED) and Explicit Congestion Notification (ECN) for 
each class. To enable RED, use the following command: 


CLI (cfg-pmap-c) > random-detect 


To disable it, use the following command: 

CLI (cfg-pmap-c)> no random-—detect 
If RED is enabled, the maximum threshold is the queue size, and the minimum, half the queue size. The 
mark probability is internally set to 1/10, and the exponential weighted moving average (EWMA) 1/64. 


To enable WRED based on DSCP value (gold/yellow preferred to gold/red preferred to silver/green ...etc.), 
use the following command: 


CLI (cfg-pmap-c)> random-detect dscp—based 


To disable WRED, use the following command: 


CLI (cfg-pmap-c)> no random-detect dscp-—based 
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To specify the minimum and maximum threshold, and optionally the mark-probability denominator for each 
DSCP value, use the following command: 


CLI (cfg-pmap-c)> random-—detect dscp <dscp-value> <min> <max> [<mark-pro>] 
To set the default minimum and maximum threshold, and optionally the mark-probability denominator for 
each DSCP value, use the following command: 

CLI (cfg-pmap-c)> no random-detect dscp <dscp-value> 
To enable WRED based on precedence value (Gold preferred to Silver, preferred to Bronze... and so on), 
use the following command: 


CLI (cfg-pmap-c)> random-detect prec—based 


To disable it, use the following command: 

CLI (cfg-pmap-c)> no random-—detect prec—based 
To specify the minimum and maximum threshold, and optionally the mark-probability denominator for each 
precedence value, use the following command: 

CLI (cfg-pmap-c)> random-detect precedence <prec-value> <min> <max> 

[<mark-pro>] 

To set the default minimum and maximum thresholds and, optionally, the mark-probability denominator for 
each precedence value, use the following command: 


CLI (cfg-pmap-c)> no random-detect precedence <prec-value> 


To enable WRED based on qos-group value, use the following command: 


CLI (cfg-pmap-c)> random-detect qos-—group—based 


To disable it, use the following command: 

CLI (cfg-pmap-c)> no random-—detect qos-—group—based 
To specify the minimum and maximum thresholds and, optionally, the mark-probability denominator for 
each gqos-group value, use the following command: 

CLI (cfg-pmap-c)> random-detect qos-group <qos-group-value> <min> <max> 

[<mark-pro>] 

To set the default minimum and maximum threshold, and optionally the mark-probability denominator for 
each qos-group value, use the following command: 


CLI (cfg-pmap-c)> no random-—detect qos-group <qos-group-value> 


To enable WRED based on 802.1p value, use the following command: 


CLI (cfg-pmap-c)> random-detect cos—based 


To disable WRED, use the following command: 

CLI (cfg-pmap-c)> no random-detect cos—based 
To specify the minimum and maximum threshold, and optionally the mark-probability denominator for each 
DSCP value, use the following command: 

CLI (cfg-pmap-c)> random-detect cos <cos-value> <min> <max> [<mark-—pro>] 
To set the default minimum and maximum threshold, and optionally the mark-probability denominator for 
each DSCP value, use the following command: 

CLI (cfg-pmap-c)> no random-—detect cos <cos-value> 
To configure the exponential weight factor used to calculate the average queue size, use the following 
command: 


CLI (cfg-pmap-c)> random-detect exponential-—weighting-constant 


To set the default exponential weight factor value, use the following command: 
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CLI (cfg-pmap-c)> no random-detect exponential-—weighting-constant 


Explicit Congestion Notification (ECN) is a special feature of the TCP protocol, enabling to warn the remote 
TCP end that congestion is happening. Normally, congestion is controlled through the embedded flow 
control of TCP, which reduces the emission rate when a packet is dropped. Setting ECN when queues 
have reached a certain length enables to manage flow control before packets are dropped, thus optimizing 
the performance of TCP. ECN is made up of two bits. The first one indicates whether or not the ECN 
feature is supported. The second bit is permitted to be marked if the first bit is set. The queue length after 
which the ECN processing is activated corresponds to the RED/WRED threshold: if packets are queued 
when threshold are crossed, they can be marked. ECN takes effect only if RED or WRED is enabled and is 
disabled by default. To enable ECN, use the following command: 


CLI (cfg-pmap-c)> random-detect explicit-—congestion-notification 


To disable ECN, use the following command: 


CLI (cfg-pmap-c)> no random-detect explicit-—congestion-notification 
8.2.9 DSCP Marking 


For each class in a policy-map the user can optionally set the DSCP value in the IP header (giving directly 
the ad-hoc code-point (0-63) or using PHB names (see 8.1.1) or Class-Selector names (see RFC 2474)): 


CLI (cfg-pmap-c)> [no] set ip dscp { <0-63> | ef | af11 | afl2 | af13 
| af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 
| default | cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 } 


Or, to set the IP precedence value, use the following command: 


CLI(cfg-pmap-c)> [no] set ip precedence <0Q-7/> 
8.2.10 Virtual QoS Group Marking 


As previously mentioned, it is possible to internally mark a traffic flow. This is useful to perform 
classification at input interface and scheduling at output interface. To set a QoS group value to a class, use 
the following command: 


CLI(cfg-pmap-c)> [no] set qos-group <value> 
8.2.11 CLP Marking 


For each class in a policy-map, user can optionally set ATM CLP bit to 1 (this command is only available 
on ONE60/200/400 OneOS-based routers). 


CLI (cfg-pmap-c)> [no] set atm-clp 
8.2.12 FR DE Marking 


Alternatively, if the uplink is Frame Relay based, we can set the DE bit of every packet handled by this 
policy 
CLI (cfg-pmap-c)> [no] set fr-de 


8.2.13 802.1p Tagging 


The 802.1p tag can be set with the next command: 


CLI (cfg-pmap-c)> [no] set cos <0..7> 


Note that the set cos statement overrides the default priority tagging activated on the interface. 
N.B.: 


e The set cos statement only makes sense on an interface where dot1Q encapsulation is enabled or 
if the interface is dot1 1radio. 


Basic IP User guide Page 8.2-95 of 150 


ONEOS V4.3R4 /V5.1R3 BASIc IP USER GUIDE (EDITION 10) 


e Policy-map can be applied as input or output service-policy. 
e CoS value configured using a policy-map overwrites default CoS value configured under interface. 


e Setting 802.1p user priority bits on a non-dot1Q interface will not fail. The behavior depends on 
interface type: 


o Ondotitradio, the VLAN is not present, no tagging is performed. Nevertheless, the information 
is used by the driver to prioritize outgoing traffic. 


o On other interfaces (including BVI, ATM-AAL5, PPPoEoVLAN), the command virtually sets 
CoS on packets. 


8.2.14 Policy Nesting 


A policy can be used inside a class allowing the user to set a rich QoS, mixing classification, policing and 
shaping; for example mixing layer-3 classification and layer-2 shaping. 


To insert a previously defined policy in a class, use the following command in policy map class 
configuration mode: 


CLI(cfg-pmap-c)> [no] service-policy <policy-name> 
8.2.15 Attaching a Policy to an Interface 


Finally, the QoS parameters that have been defined are applied to an interface either in the input or the 
Output direction. 


First, the user should specify the total bandwidth that is to be used at a given output interface. If this is not 
done, the total bandwidth is set by default to the link bandwidth. 


CLI (configure)> interface <type> <unit> 


CLI (config-if)> bandwidth <kbps> 


Important Note: if no output policy is attached to the interface, an implicit bandwidth shaping is 
applied to limit the traffic on the interface to the total bandwidth. The applied shaping is a CIR 
without EIR (no excess bandwidth allowed) with a single rate token bucket mechanism. 


The user can specify a policy-map in the output direction to apply the defined QoS parameters: 


CLI (config-if)> service-policy output <policy-map> 


On the average, the scheduler will strictly limit the specified bandwidth of the interface and allow fair 
sharing of bandwidth among all defined classes. 


The user can also specify a policy-map in the input direction if required: 


CLI (config-if)> service-policy input <policy-map> 


Again, at an input interface, the service policy classify can be used to classify, police, and mark traffic. 
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8.3 QOS CONFIGURATION EXAMPLES 


In this section, the following examples are given to illustrate: 

e Basic bandwidth management at output interface with CBWFQ. 
e Bandwidth reservation over multiple interfaces. 

e Class based traffic policing. 

e Input rate limiting. 


e Remaining bandwidth distribution. 
8.3.1 Output Bandwidth Management 


There are three classes in this example: the EF class, AF1 class and the Best Effort class. RIP voice 
traffic is placed in the EF class, FIP traffic into AF1, and all remaining into the Best Effort class. An access 
list is used to classify FTP traffic (the FTP server could be found inside or outside the private network). The 
following commands create the required access list and class-maps: 





ATM interface 

















RTP source 


Private Network 
192.168.2.0 


ip access-list extended ftp-acl 

permit tcp 0.0.0.0 255.255.255.255 21 0.0.0.0 255.255.255.255 
permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 21 
permit tcp 0.0.0.0 255.255.255.255 20 0.0.0.0 255.255.255.255 
permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 20 
exit 


class-map afl 
match access-group ftp-acl 
exit 


class-map ef 
match ip rtp 9000 5000 
exit 


Now, define a policy, which contains three classes: 


o The EF class is a priority class and takes 80 kbps (for one non-compressed voice channel). 


o The AF1 class is not a priority class and takes 300 kbps. For traffic matching this class, the 
DSCP is set to that of the AF1 class. In addition, RED and ECN are enabled. 


o No action is performed for the default class, except that fair queuing (WFQ) is enabled 40. The 
default class will take the interface bandwidth minus the bandwidth allocated to the EF and 
AF1 classes. 


Policy-map demo 
class ef 
priority 80 
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queue-limit 40 
exit 


class afl 

set ip dscp 10 

bandwidth 300 

random-—detect 
explicit—congestion-—-notification 
exit 


class class-default 
fair—queue 

exit 

exit 


Finally, apply the policy to the right interface: 


interface Atm 0.1 
bandwidth 2000 
service-policy output demo 
exit 


8.3.2 Bandwidth Reservation over Multiple Interfaces 


In this example, it is shown how to define a policy-map, which can be applied to multiple interfaces, for 
example, a primary interface and a backup interface. The same classes used in the last example will be 
used here. As the priority class EF requires fixed bandwidth, its bandwidth is specified in absolute value. 
The non-priority class AF1 and the class-default will each get 50% of the remaining bandwidth. The 
configuration commands are as follows: 


policy-map demo 
class ef 
priority 80 
queue-limit 20 
exit 


class afl 

set ip dscp 10 
bandwidth percent 50 
random-—detect 

exit 


class class-default 
queue-limit 40 

exit 

exit 


Apply the policy to the right interfaces: 


interface Atm 0.1 
bandwidth 2000 
service-—policy output demo 
exit 


interface Serial 0.1 
bandwidth 128 
service-—policy output demo 
exit 


On the interface Atm 0.1, the EF class will get 80 kb/s, the class AF1 and the class-default each get 960 


kb/s. On the interface Serial 0.1, the EF class will get 80 kb/s, the class AF1 and the class-default each get 
only 24 kb/s. 
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8.3.3 


8.3.4 


8.3.5 


Class based Traffic Policing 


In this example, traffic conditioning using tr. CM (Two Rate Three Color Marker) is illustrated. In the first 
policy-map, the class AF1 is still used as an example. The traffic flows within AF1 are guaranteed to send 
as much traffic as 500 kbps (committed information rate) with 10 kbps burst. Traffic below this rate is 
marked green (AF11). The traffic aggregate within AF1 can be accepted as much as 800 kbps (peak 
information rate) with 20 kbps burst. Traffic below this rate is marked yellow (AF 12). If the traffic aggregate 
within AF1 goes beyond this rate, known as red, it is always dropped (though it can be marked as red and 
transmitted). In addition, color-aware mode is enabled, it means that input packets pre-colored as yellow or 
red will have higher drop probability than the green ones. This policy-map is attached to the input interface, 
FastEthernet 0/0. 


The configuration commands are as follows: 


policy-map diffserv-tcb 

class afl 

police cir 500 10000 

police pir 800 20000 

police conform-action set-dscp-transmit afi1l 
police exceed-action set-dscp-transmit af12 
police violate-action drop 

police color-aware af1l1 af12 af13 

exit 

exit 


Input Rate Limiting 


In this example, a policy-map is defined for input rate limiting and attached to FastEthernet 0/0. All traffic 
received on FastEthernet 0/0 should not exceed 1 Mbps (as CIR). Non-conforming traffic is simply 
dropped. No actions need to be configured since the default conform-action is to transmit; the default 
exceed-action is to drop. 


The configuration commands are as follows: 


policy-map in-rate-limit 
class class-default 
police cir 1000 20000 
exit 

exit 


interface FastEthernet 0/0 
service-—policy input in-rate-limit 
exit 


Remaining bandwidth distribution 


In this example, the line rate is 2 Mbps. Two VLAN, 101 and 102, have a 400 kbps CIR with each two 
layer-3 class policies (250+150 kbps). VLAN 101 has excess rate priority 1, VLAN 102 has priority 2. 


The scheduler will first serve the layer-3 classes up to their configured bandwidth. Then, inside each 
VLAN, the bandwidth up to the CIR will be allocated to the default class, then again to the layer-3 classes 
and the best effort class. The remaining bandwidth will first be allocated to VLAN 101 (priority 1) classes 
according to their weights then to VLAN 102 (priority 2) when VLAN101 queues are emptied. 


The configuration commands are as follows: 


class-map vlanl101 
match vlan 101 

exit 

class-map vlanl102 
match vlan 102 

exit 


class-map internet-vlan101 
match access-group internetl 
exit 
class-map data-vlani10l1 
match access-group datal 
exit 
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class-map internet-vlanl102 
match access-group internet2 
exit 
class-map data-vlan102 
match access-group data2 
exit 


policy-map vlanl101Shaper 
class internet-vlanl101 
bandwidth 250 
exit 
class data-vlanl01l 
bandwidth 150 
exit 
exit 
policy-map vlanl02Shaper 
class internet-vlanl102 
bandwidth 250 
exit 
class data-vlanl102 
bandwidth 150 
exit 
exit 


! Main Shaper 
policy-map vlanShaping 
class vlanl101 
bandwidth 400 
service-policy vlanil01Shaper 
excess-rate-priority 1 
exit 
class vlanl102 
bandwidth 400 
service-policy vlanl02Shaper 
excess-rate-priority 2 
exit 
exit 


interface atm-aal5 0.1.1 
ip address 10.10.1.1 
encapsulation dotigq 101 

exit 

interface atm-aal5 0.1.2 
ip address 10.10.1.2 
encapsulation dotlq 102 

exit 

interface atm-aal5 0.1 
pvc vpi 1 vci 32 

qos ubr pcr 2000000 
execute 
service-policy vlanShaping output 
exit 
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8. 


4 


QOS STATISTICS 


At any stage of the configuration, information about the configured QoS settings can be displayed. 


To display the matching rules about a class: 


CLI> show class-map [<class-name>] 


If the class name Is missing, all existing classes will be displayed. For example: 


CLI> show class-map ef 
class-map match-all ef 

match ap rtp 9000 5000 

exit 


To display the policy settings of a policy: 


CLI> show policy-map demo 
policy-map demo 

class afl 
explicit-—congestion-notification 
random-—detect 

bandwidth 300 

set ip dscp 10 

exit 

class ef 

queue-limit 20 

PrLority 80 

exit 

class class-default 

queue-limit 55 

exit 

exit 


If the policy name is missing, all existing policies will be displayed. 


To display only the information about a class in a policy: 


CLI> show policy-map demo class afl 
policy-map demo 

class afl 

explicit-congestion-notification 
random-—detect 

bandwidth 300 

set ip dscp 10 

exit 


To display the traffic statistics for a policy on an interface, use the following command: 


CLI> show policy—-interface [input | ouput ] [<intf> <unit>] [class <cls>] 


CLI> show policy-interface Atm 0.1 

Atm0O.1: output service policy demo 

Class ‘ef': high priority 

bandwidth 80 kb/s, queue length/limit 0/20 

mean input rate 74400 bits/s, mean output rate 74400 bits/s 
packets output 4831, packets dropped 0 (0%) 

bytes output 1806794, bytes dropped 0 (0%) 

Class ‘'afl': medium priority 

bandwidth 300 kb/s, queue length/limit 6/60 

mean input rate 298104 bits/s, mean output rate 298104 bits/s 
packets output 6842, packets dropped 0 (0%) 

bytes output 9805313, bytes dropped 0 (0%) 

random early detection: 

explicit congestion notification 

min/max threshold 30/60, EWMA 6 (1/64), mark probability 1/10 
mean queue length 7, early drops 0, tail drops 0 

Class 'class-default': medium priority 

bandwidth 1620 kb/s, queue length/limit 54/55 

mean input rate 1887096 bits/s, mean output rate 1598376 bits/s 
packets output 23410, packets dropped 3509 (13%) 

bytes output 35325224, bytes dropped 5298770 (13%) 

Interface total: 

bandwidth 2000 kb/s 

mean input rate 2259600 bits/s, mean output rate 1972104 bits/s 
packets output 35084, packets dropped 3509 (9%) 
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bytes output 46937705, bytes dropped 5298770 (10%) 


To reset QoS related counters, use the following command: 


CLI> clear policy-interface [input | output] [<interface> <unit>] 
[class <class-—name>] 





8.5 QOS DEBUG AND TRACE 


To enable debugging IP QoS, use the following command in global mode: 


CLI> debug ip qos 


To disable debugging IP QoS, use the ‘no' form of the above-referenced command. 





8.6 QOS MANAGEMENT INFORMATION BASE (MIB) 


The DiffServ MIB, specified in RFC 3289, is supported, in read-only mode at present. 
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9 POLICY BASED ROUTING 
Policy based routing can be defined as routing packets to outgoing path according to user-defined policy, 
which often makes use of criteria different from that used in the routing table. This section describes the 
main features of Policy Based Routing (PBR) and its configuration. 

9.1 PBR FEATURES 


By classical IP routing, input packets are forwarded to the outgoing interface with regard to its destination 
address contained in the IP header. The routing information is commonly specified in the routing table, on 
a network prefix/mask basis. This scheme works fine in most cases, but suffers from poor flexibility. For 
example, one may want to route critical traffic via a safer path than that used by other non-critical traffic. 


Policy based routing provides greater flexibility to meet a wide range of application requirements. It allows 
the selection of input traffic using a rich set of criteria, such as IP source address and destination address, 
DSCP or IP precedence value, and TCP/UDP ports. The selected traffic can be marked with a new DSCP 
or IP precedence value and can be forwarded to a specific next hop router or interface thereby bypassing 
the routing table. 


In common use, policy based routing can be used to provide the following services: 
e Link based traffic separation. 

e Application sensitive routing. 

e Protocol sensitive routing. 

e Source and/or destination based routing. 

e QoS based routing. 


For example, RIP voice traffic can be sent through a low delay and low loss link (or connection) whereas 
other traffic (such as HTTP, FTP) can be sent through an alternative link; or the traffic generated by a 
batch file transfer could be routed to a leased line, and the traffic issued elsewhere will be routed via an 
ISP network. 


Packets routed by policy based routing are fast forwarded such that the performance is at least as good as 
normal forwarding. Policy based routing is applied at the input interface after all inbound processing such 
as NAT, QoS, ACL if configured. PBR can also be applied for internally generated flows such as telnet or 
Voice over IP. All outbound processing configured at the output interface is also applied before sending 
the packet to the underlying data link. 
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9.2 PBR CONFIGURATION COMMANDS 


Configuration of policy based routing is done in a very straightforward way. More specifically, similar to 
QoS policy-map, policy based routing makes use of class-map to select/classify traffic. Policy-route-map 
should be defined to specify the routes to use for each class type. Configuration of policy based routing 
can be divided into the following steps: 


e Create access lists to catch input traffic — optional. 

e Create class-maps to classify traffic into classes — required. 

e Create policy-route-map to specify policy routing — required. 

e Apply policy-route-map to input interface or to internal traffic — required. 


This section will focus on the configuration of policy-route-map. For the details on how to configure IP 
access lists and class-map, please refer to the sections regarding "IP Access Lists" and "IP Quality of 
Service". 


9.2.1 Creating a policy-route-map 


To create a policy-route-map, use the following command in global configuration mode: 


CLI (configure)> policy-route-map <policy-name> 


This command, if successful, will enter into policy-route-map configuration mode. To delete a policy-route- 
map, use the no form of the above command. 


A policy-route-map is a container of traffic classes associated with routing policy. User can add classes to 
a policy-route-map. A policy-route-map is never empty: the default class called ‘class-default' is 
automatically added to a policy-route-map after creation. It matches any traffic, which does not match any 
user-defined class. 


9.2.2 Adding a class to a policy-route-map 


To add a class created by using a class-map to the policy-route-map, use the following command in policy- 
route-map configuration mode: 


CLI (config-prmap)> class <class-—name> 


This command, if successful, will enter into policy-route-map class configuration mode. To delete a class 
from the policy-route-map, use the no form of the above command. 


TO specify routing policy for the default class, use class—default as class name. 


At run time, input traffic will be matched against each user-defined class in configuration order. Upon the 
first matching class, the associated actions (marking and/or routing) are applied. If no user-defined class 
matches the traffic, the actions associated with the default class are applied to the traffic. If no actions are 
associated with the default class, traffic will be passed to IP routing, that is, routed using the routing table. 


One or more actions can be associated with any user-defined class as well as the class class-default. 
Routing actions (by setting output interface or next hop) are applied after marking actions. 


9.2.3 DSCP Marking 


For each class in a policy-route-map, to set the DSCP value in the IP header (giving directly the ad-hoc 
code-point (0-63) or using PHB names (see 8.1.1) or Class-Selector names (RFC 2474)), use the following 
command in policy-route-map class configuration mode: 


CLI (cfg-prmap-c)> set ip dsep { <0-63> | ef | afl1 | afl12 | af13 
| af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 
| default | cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 } 
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Or, to set the IP precedence value, use the following command: 


CLI(cfg-prmap-c)> set ip precedence <0-7> 


To remove such an action, use the no form of the corresponding command. 
9.2.4 DF bit marking 


For each class in a policy-route-map, to set the DF bit value in the IP header, use the following command 
in policy-route-map class configuration mode: 


CLI(cfg-prmap-c)> set ip df { 0 | 1 } 
To remove such an action, use the no form of the corresponding command. 
9.2.5 802.1p Tagging 


The 802.1p tag can be set with the next command: 


CLI (cfg-pmap-c)> set cos <0..7> 


Note that the set cos statement overrides the default priority tagging activated on the interface. 
N.B.: 


e The set cos statement only makes sense on an interface where dot1Q encapsulation is enabled or 
if the interface is dot1 1radio. 


e CoS value configured using a policy-route-map overwrites default CoS value configured under 
interface. 


e Setting 802.1p user priority bits on packets transmitted on a non-dot1Q interface or on an interface not 
configured to do dot1Q, will not fail. The behavior depends on interface type: 


o Ondotitradio, the VLAN is not present, no tagging is performed. Nevertheless, the information 
is used by the driver to prioritize outgoing traffic. 


o On other interfaces (including BVI, ATM-AAL5, PPPoEoVLAN), the command virtually set CoS 
on packets. 


9.2.6 Virtual QoS Group Marking 


It is possible to internally mark a traffic class. This is useful to perform other QoS processing such as traffic 
policing and scheduling at output interface by using the qos-group as filtering criteria. To set a QoS 
group value to a class, use the following command in policy-route-map class configuration mode: 


CLI(cfg-prmap-c)> set qos-group <0-99> 
To remove such an action, use the no form of the above command. 
9.2.7 CLP Marking 


For each class in a policy-route-map, to set ATM CLP bit to 1, use the following command in policy-route- 
map class configuration mode (this command is only available on ONE60/200/400 OneOS-based routers): 


CLI (cfg-prmap-c)> set atm-clp 
To remove such an action, use the no form of the above command. 
9.2.8 FR DE Marking 


Alternatively, the DE bit of every packet matching the policy class map can be marked: 


CLI (cfg-prmap-c)> set fr-de 


9.2.9 Setting Output Path 
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Output path is specified either by output interface or next hop. To set the output interface or next hop 
address for a class, use the following commands in policy-route-map class configuration mode: 


CLI(cfg-prmap-c)> set interface <type> <unit> 
CLI (cfg-prmap-c)> set ip next-hop <ip-address> 


Multiple output interfaces or next hops can be set for each class (by entering the same command multiple 
times). If output interface is used, that implies that the destination network Is either directly connected or 
the interface is a point-to-point interface. In other cases, next hop should be used instead. 


At run time, the specified output paths are checked in configuration order. Upon the first path which has its 
status UP, traffic matching this class will be sent out through it. If none of the specified output paths is UP, 
the traffic will be handed to IP routing, that is, routed using the routing table. 


Therefore to provide backup route for the traffic, user can either set multiple output paths or use normal IP 
routing. If the traffic is highly critical, user may want it to arrive at its destination through a secure path or 
not at all. In that case, to forbid the traffic going out via normal routes (by IP routing) when the preferred 
path is down, the following commands can be used for example: 


CLI (cfg-prmap-c)> set interface atm 0.1 
CLI (cfg-prmap-c)> set interface null 0 


In this way, when the interface ATM 0.1 goes down, traffic will be dropped. 
To remove such an action, use the no form of the corresponding command. 


9.2.10 Attaching a policy-route-map to an Interface 


Policy routing is applied to input interfaces. To attach a policy-route-map created earlier to an input 
interface, use the following command in interface configuration mode: 


CLI (config-if)> ip policy-routing <routemap> 


<routemap> is the name of policy-route-map. The same policy-route-map can be attached to multiple 
interfaces. 


To disable policy routing on an interface: use the no form of the above command. 
9.2.11 Attaching a policy-route-map to internally generated traffic 


To apply a policy-route-map to traffic generated by the router, use the following command in global 
configuration mode. The vrf-name Is optional. If not provided the default VRF is used. 


CLI(configure)> [no] ip local [vrf <vrf-name>] policy-route-map <name> 


Basic IP User guide Page 9.2-106 of 150 


ONEOS V4.3R4 /V5.1R3 BASIc IP USER GUIDE (EDITION 10) 





9.3 


9.3.1 


9.3.2 


PBR CONFIGURATION EXAMPLE 


Flow separation 


In the following example, it is intended to route real-time traffic through a serial line, flow-controlled traffic 
(TCP) through interface ATM 0.1, and non flow-controlled traffic (UDP, ICMP, etc.) through a different 
interface ATM 0.2. 


RTP traffic is classified into the class called rtp; all TCP traffic into the class tcp-flows. A policy-route- 
map, namely routemap1, is created which includes the class rtp, the class tcp-—flows, the class class- 
default (non flow-controlled traffic). Here RTP flows are either routed through the serial line or not at all 
(dropped if the serial line is down). But for TCP and default flows, if the corresponding output interface 
goes down, they will be handed to IP routing. 


Here is the configuration script: 


ip access-list tcp-acl 
permit tcp 0.0.0.0 0.0.0.0 0 0.0.0.0 0.0.0.0 O 
exit 


class-map rtp 
match ip rtp 10000 2000 
exit 


class-map tcp-flows 
match access-group tcp-acl 
exit 


policy-route-map routemapl1 
class rtp 

set interface serial 0.1 
set interface null 0O 
exit 

class tcp-flows 

set interface atm 0.1 
exit 

class class-default 

set interface atm 0.2 
exit 

exit 


interface FastEthernet 0/0 
ip policy-routing routemap1l 
exit 


Internal Flow Marking 


This example shows how to mark all packets generated by the router. This can be useful when you classify 
packets at the output based on the DSCP value to apply a specific QoS: you only need to mark internal 
flows to force the corresponding packets to be queued in a specific CoS. 


Class-map internal_flows 

match any 

exit 
policy-route-map mark_internal_flows 

class internal_flows 

set dscp 44 

exit 

exit 

ip local policy-route-map mark_internal_flows 
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9.4 PBR STATISTICS 


To display the policy route configuration, use the following command: 


CLI> show policy-—route-map 


To display statistics about the policy routing, use the following command: 


CLI> show policy-route-interface [vrf <vrf-name>] 


To clear statistics about the policy routing, use the following command: 


CLI> clear policy-route-interface [vrf <vrf-name>] 





9.5 PBR DEBUG AND TRACE 


To enable IP interface debugging, use the following command: 


CLI> debug ip interface 


To disable IP interface debugging, use the 'no' form of the above command. 
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10 DYNAMIC HOST CONFIGURATION PROTOCOL (DHCP) 


This section describes the main features of the Dynamic Host Configuration Protocol (DHCP) client-server, 
and relay, and their configuration. 





10. 


1 


DHCP FEATURES 


The DHCP protocol is intended to supply configuration parameters to hosts as part of their start-up 
procedure. The DHCP protocol provides a mechanism to assign network addresses to hosts. DHCP hosts 
are dynamically configured, thus allowing considerable reduction of the work usually done by the network 
administrator. 


DHCP is built on a client-server model, where the server allocates the network addresses to clients upon 
requests. In addition, DHCP is often used to deliver other configuration parameters to clients, such as DNS 
server(s) and the default router. 


In DHCP, the parameters transferred from a server to clients are called options. The most frequently used 
option is IP address. 


DHCP provides three methods to assign an IP address to a client: 


o Automatic allocation: DHCP assigns a permanent IP address to a client (for an infinite period of 
time). 


o Dynamic allocation: DHCP allocates an IP address to a given client for a limited period of time. 


o Manual allocation: A client's IP address is assigned by the administrator, and DHCP is used 
simply to convey the assigned address to that client. 


The DHCP protocol is described in RFC 2131. DHCP is an extension of the BOOTP protocol. Being the 
case, BOOTP clients are interoperable with DHCP server. 


The maximum number of addresses that can be managed by the DHCP server is 1024 (or higher 
according to the version). 


Additionally, DHCP relay service enables DHCP clients to reach DHCP servers located in other network 
segments. DHCP relay forwards client-originated DHCP packets to a DHCP server, and vice-versa. The 
DHCP relay service is described in RFC 3046. 
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10.2 DHCP CONFIGURATION COMMANDS 


The configuration of DHCP can be divided into three steps. Users can complete one or all of the steps 
according to their specific requirements: 


o Configuring DHCP Client 
o Configuring DHCP Server 
o Configuring DHCP Relay 


The DHCP client is configurable on all interfaces of OneOS-based routers, including WAN interfaces. It 
provides the ability to retrieve configuration data of a router. 
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10.2.1 Configuring DHCP Client 


If an interface is DHCP client, DNS servers and default route may be learnt; they will be valid only on the 
VRF of the interface configured as DHCP client (or the default VRF if not configured). 


10.2.1.1_ Configuring DHCP Client Option 61 — Client Identifier — on Ethernet Interfaces 


To obtain an IP address on Ethernet interfaces from a DHCP server, use the following command: 


CLI (configure)> interface { ethernet | fastethernet | gigabitethernet 

| dotllradio | efm } <unit> 
CLI (config-if)> ip address dhcp [client-id <cliid>] [hostname <hostname>] 
CLI (config-if)> exit 


When the optional client-id argument is not present, the DHCP DISCOVER message uses the MAC 
address of the interface otherwise if present it uses the cliid string value (as DHCP option 61). 
To disable the DHCP client, use the following command: 


CLI (config-if)> no ip address dhcp 
10.2.1.2 Configuring DHCP Client Option 61 — Client Identifier — on another interface 
To obtain an IP address (as well as autoconfiguration parameters) on another interface (BVI, ATM, etc.) 
from a DHCP server, use the following command in other interface configuration mode: 
CLI (config-if)> ip address dhcp client-id <ethernet-interface> <unit> 
The argument indicates the MAC address of which interface shall be used in the DHCP DISCOVER 


message. The DHCP message is an IP datagram unless bridging is enabled (then, the DHCP message is 
a MAC frame). 


To disable the DHCP client, use the following command: 


CLI (config-if)> no ip address dhcp 
10.2.1.3 Configuring DHCP Client Option 51 — Lease Time 


When OneOS sends DHCP requests, it might be desirable to define some DHCP options. Option 51 
(DHCP lease) is sent by default; the command to not send this option is (in interface configuration mode): 


CLI (config-if)> [no] ip dhcp client lease-opt-less 
10.2.1.4 Configuring DHCP Client Option 60 — Vendor Class Identifier 


To set the Vendor Class ID ASCII string (DHCP option 60), the following command must be used in global 
configuration mode (vendor Class ID is globally defined and apply to all VRF): 

CLI (configure)> ip dhcp vendorid <vendor-id> standard 
The Vendor Class ID can be configured with another command syntax, whereby the option 60 
concatenates vendor-id and the OneOS version name. Command syntax in global configuration mode: 


CLI (configure)> ip dhep vendorid <vendor-id> 
10.2.1.5 Configuring DHCP Client Option 77 — User Class 


The DHCP option 77 (called User-Class) is an ASCII string that is set on the DHCP client. The DHCP 
server may match this option to select appropriate option values in the DHCP responses. The option is set 
as follows in interface configuration mode: 


CLI (config-if)> [no] ip dhep client user-class-id <user-class-—id> 
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10.2.1.6 Configuring other DHCP Client Options 


A DHCP client may ignore the default route learnt via DHCP protocol; this function is useful if multiple 
interfaces are DHCP clients, but only one interface must be able to get the default route: 


CLI (config-if)> [no] ip dhep client ignore-default-route 


The next command turns on/off the broadcast flag in client DHCP messages, so that the server is made 
aware if the server DHCP packets must be unicast or broadcast. The vr£-name is optional. If not provided 
the default VRF is used. 


CLI(configure)> [no] ip dhep [vrf <vrf-name>] client broadcast-flag 
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10.2.2 Configuring DHCP Server 


10.2.2.1_ Configuring a Database Agent 


A database agent is a host that stores the DHCP binding database of the server. This is useful to restore 
the state after reboot. It is possible to configure the interval time between database updates (optional). 


To configure a database agent, use the following command in global configuration mode: 


CLI (configure)> ip dhcp database <url> [<update-interval>] 


An example URL is ftp://username:password@10.1.2.38/dhcp/server/database. 


By default, the interval to update database is 600 seconds. 
To delete a database agent, use the following command in global configuration mode: 


CLI(configure)> no ip dhcp database 


10.2.2.2_ Creating an Address Pool 


The DHCP address pool contains IP addresses and other configuration parameters. The pool is used by 
the server to provide addresses to the clients. To create a DHCP address pool, use the following 
command in global configuration mode: 


CLI (configure)> ip dhcp pool <pool-name> 

CLi-(dhep=conrig)> 
By entering this command the user enters the DHCP configuration mode. A number of commands are 
available to manipulate the address pool. 
To remove the address pool, use the following command: 


CLI (configure)> no ip dhep pool <pool-name> 
10.2.2.3. Assigning the Pool to a non-default VRF 


The DHCP server pools are by default active on the default VRF, use the following command to assign the 
pools to another VRF. 


Note that this command erases the whole previous IP configuration of the pool. 


CLI (dhcp-config)> vrf <vrf-name> 


To assign the pool again to the default VRF, use the following command: 


CLI (dhcp-config)> no vrft 
10.2.2.4 Linking the pool to an interface 


In order to have the pool used by the DHCP server on an interface, use the following commands: 
CLI (configure)> interface <interface> 


CLI (config-if)> ip address pool <pool-name> 


Then, in DHCP configuration mode, configure the IP address range, the bindings, and then configure other 
DHCP options associated with this pool, such as DNS Server, default router, etc. 


10.2.2.5 Using IPCP to add Addresses to the Pool 


The address pool can be automatically created using the address and the mask retrieved by IPCP (needs 
ipcp mask-request and ip unnumbered <interface> commands under PPP), use the following 
command: 


CLI (dhcp-config)> origin ipcp 
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10.2.2.6 Adding Addresses to the Pool 


There are two ways to add addresses to the pool. 


To add addresses to the pool indicating an address range, use the following command in DHCP 
configuration mode: 


CLI (dhcp-config)> network range <start-—ip-address> <end-ip-address> 
To add addresses to the pool indicating a start IP address and a number of IP addresses, use the 
following command in DHCP configuration mode: 

CLI (dhcp-config)> network <start-—ip-address> <number> 
number can be provided as a mask either encoded in four-part dotted-decimal format or as CIDR 
(Classless Inter-Domain Routing) prefix (it is the number coded by the bits left to 0). 


For example: 
network 10.10.10.18 255.255.255.248 and network 10.10.10.18 29 
create both a pool of 8 addresses starting from 10.10.10.18 (up to 10.10.10.25) because of 3 bits left to 0. 


Once the IP address range is configured, one can configure other DHCP options associated with this pool, 
such as DNS Server, default router, etc. 


The network mask provided to DHCP clients is the network mask configured on the interface where the 
DHCP server is directly connected. To specify a different network mask, use the netmask command. 


To remove addresses from the pool, use the no form of the above-referenced command. 
10.2.2.7 Excluding Addresses 


To exclude one or more IP addresses (for example, the interface address or other manually assigned 
addresses) to be assigned by the server, using the following command in global configuration mode: 


CLI (configure)> ip dhep [vrf <vrf-name>] excluded-address <start-—address> 
[<end-address>] 
To exclude a range of IP addresses, use a command with start-address and end-address. 
To exclude several non-consecutive IP addresses, use several commands with only start-address. 
The vrf-name is optional. If not provided the default VRF is used. 


To remove specific excluded IP address or addresses, use the no form of the above-referenced command. 


To remove all excluded IP addresses, use the following in global configuration mode: 


CLI(configure)> no ip dhep [vrf <vrf-name>] excluded-address all 
10.2.2.8 Configuring a Manual Binding 


To configure a manual binding, first enter in DHCP configuration mode: 
CLI (configure)> ip dhep pool <pool-name> 
To create a manual binding between IP address and hardware address, use the following command. The 
MAC address must match the received Option 61 when of the form MAC address. 
CLI (dhcp-config)> host <ip-address> 
CLI (dhcp-config)> hardware-address <MAC-address> ethernet 
MAC-address Is in a format such as: 00:80:DE:AD:BE:EF. 


Alternatively, a binding may be declared to match the received Option 61 when of the form string using the 
following command: 


CLI (dhcp-config)> host <ip-address> 
CLI (dhcp-config)> client-identifier <string> 


To remove the manual binding or an option in a manual binding, use the no form of the corresponding 
command. 
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Following the above-referenced commands, one can also set other DHCP options associated with the 
host; client name, hostname, etc. 

10.2.2.9 Configuring DHCP Server Option 1 — Network Mask 


To configure the network mask, use the following command in DHCP configuration mode: 


CLI (dhcp-config)> netmask <netmask> 
To restore the default network mask, use the no form of the above-referenced command. 
10.2.2.10 Configuring DHCP Server Option 3 — Default Router 


To set a default router, use the following command in DHCP configuration mode: 


CLI (dhcp-config)> default-router <ip-address> [ip-address] [ip-address] 
To remove the default router, use the no form of the above-referenced command. 
10.2.2.11 Configuring DHCP Server Option 6 — DNS Server 


To set DNS servers, use the following command in DHCP configuration mode: 


CLI (dhcp-config)> dns-server <ip-address> [ip-address] [ip-address] 
To remove the DNS server, use the no form of the above-referenced command. 
10.2.2.12 Configuring DHCP Server Option 12 — Client Name 


To set a client name, use the following command in DHCP configuration mode: 


CLI (dhcp-config)> client-name <hostname> 
To remove the client name, use the no form of the above-referenced command. 
10.2.2.13 Configuring DHCP Server Option 15 — Domain Name 


To set the domain name, use the following command in DHCP configuration mode: 


CLI (dhcp-config)> domain-name <name-string> 
To remove the domain name, use the no form of the above-referenced command. 
10.2.2.14 Configuring DHCP Server Option 44 — NetBIOS Name Server 


To set NetBIOS (WINS) name servers, use the following command in DHCP configuration mode: 


CLI (dhcp-config)> netbios-name-server <ip-address> [ip-address] 
To remove the name server, use the no form of the above referenced command. 
10.2.2.15 Configuring DHCP Server Option 46 — NetBIOS Node Type 


To set the NetBIOS (WINS) node type, use the following command in DHCP configuration mode: 
CLI (dhcp-config)> netbios-—node-type { b-node | h-node | m—node | p-node } 


To remove the node type, use the no form of the above-referenced command. 
10.2.2.16 Configuring DHCP Server Option 51 — Lease Time 


The lease time is the time during which the address allocated to a DHCP client remains valid. After the 
lease time, the DHCP client must renew its address. To set the address lease time, use one of the two 
following commands in DHCP configuration mode: 
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CLI (dhcp-config)> lease <days> 
CLI (dhcp-config)> lease infinite 


The default lease time is 24 hours. To return to the default value, use the no form of the above-referenced 
command. 


10.2.2.17 Configuring DHCP Server Option 60 — Vendor Class Identifier 


The following option adds a rule in the DHCP server to match the option 60 (Class ID). A DHCP client 
must include the option 60 that matches the value configured under the DHCP pool so that the DHCP 
server uses that pool to respond. In case several matching rules are defined, all rules must be matched. 


The Class ID is set as follows under DHCP pool configuration: 


CLI (dhcp-config)> class-id <ascii-string> 


To remove the Class ID option: 


CLI (dhcp-config)> no class-id 
10.2.2.18 Configuring DHCP Server Option 61 — Client Identifier 


To set a client identifier, use the following command in DHCP configuration mode: 


CLI (dhcp-config)> client-identifier <tp:aa.bb.cc.dd.ee.ff> 


All values are given in hexadecimal with tp being the client type; for example: 01 for Ethernet type. 


To remove the client identifier, use the no form of the above-referenced command. 
10.2.2.19 Configuring DHCP Server Option 67 — Boot File Name 


To set a boot file name, use the following command in DHCP configuration mode: 


CLI (dhcp-config)> boot-file <filename> 


To remove the boot file name, use the no form of the above-referenced command. 


10.2.2.20 Configuring DHCP Server Option 77 — User-Class 


The following option adds a rule in the DHCP server to match the option 77 (User-Class). A DHCP client 
must include the option 77 that matches the value configured under the DHCP pool so that the DHCP 
server uses that pool to respond. In case several matching rules are defined, all rules must be matched. 


The User-Class is set as follows under DHCP pool configuration: 


CLI (dhcp-config)> user-class-id <ascii-string> 


To remove the User-Class option, use the no form of the above-referenced command. 


10.2.2.21 Configuring DHCP Server Option — Raw Option 


It is very likely that some options (Such as vendor extensions or standard options to be defined in the 
future) are not covered by the above-referenced commands. Additional options can be set using the option 
code. 


To set a raw option of tyoe ASCII string, use the following command in DHCP configuration mode: 


CLI (dhcp-config)> option ascii <option-code> <ascii-string> 


To set a raw option of type IP address, use the following command in DHCP configuration mode: 


CLI (dhcp-config)> option ip <option-code> <ip-address> 
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To set a raw option of type decimal number, use the following command in DHCP configuration mode: 


CLI (dhcp-config)> option decimal <option-code> <decimal-number> 


To set a raw option of tyoe hexadecimal number, use the following command in DHCP configuration mode: 


CLI (dhcp-config)> option hex <option-code> <hexadecimal-number> 


To remove one of the options above, use the no form of the corresponding command. 
10.2.2.22 Configuring DHCP Server Option — Variable Option 


It may happen that the answer of the DHCP server has to depend on the received request. This can be 
achieved using the following command in DHCP configuration mode: 


CLI (dhcp-config)> match-option <option-codel> <stringl> { exact-match 
| partial-match } set-option <option-code2> <string2> 


When the received option option-codel matches exactly or partially the string string1 the DHCP 
server answers with the string string2 in option option-codeZ2. 


Stringl and string2 are enclosed within quotation marks and can be empty string. This command can 
be entered several times (up to 20). Example: 


CLI (dhcp-config)> match-option 60 "OneAccess" partial-match 
set-option 43 "http://www.oneacces-—net .com/oneprovisio?ipphone=star" 


To remove one of the match-option commands, use the no form of the corresponding command. 
10.2.2.23 AZR Features 


AZR refers to Access Zone Router and designates a router, which manages certain features, especially 
required for WLAN applications: 


e Secure ARP table: the DHCP server maintains the binding database mapping MAC addresses with 
IP addresses. The server initializes the ARP table and deletes ARP entries when the lease time of an 
address expired or when the WLAN station is no more detected (see ARP ping). The secure ARP 
process prevents IP spoofing. In this mode, the ARP table cannot be updated by any other processes 
than the DHCP server (implicit authorized ARP mode). 


e DHCP session accounting: permits to send a start/stop signal to a RADIUS server, when a user 
gets/releases its IP address. Logging off means that the stations was no more detected or explicitly 
released through DHCP its address. This feature can provide basic functions enabling accounting and 
billing of a WLAN connection. Be aware that the accounting start message is only sent to the RADIUS 
server if the WLAN stations are bound to the DHCP server after that the DHCP session accounting 
command are entered. If you wish to restart accounting for all stations, use the clear ip dhcp 
binding * command. 


e Dead stations detection (a.k.a. ARP ping): this feature scans periodically every station in the DHCP 
binding database and cleans the DHCP binding of a WLAN station not responding. 


Secure ARP is enabled by activating the following command under the DHCP server pool: 

CLI (configure)> ip dhep pool <pool-name> 

CLI (dhcp-config)> update arp 
To disable secure ARP: 

CLI (dhcp-config)> no update arp 
If ARP ping is enabled, all the IP addresses in the DHCP binding database are checked every 10 seconds. 
This check sends out ARP requests asking ‘Who has this IP?”. If the same MAC address replies to the 
ARP request, the corresponding entry can stay in the DHCP binding database. If no station replies or 


replies with the wrong MAC address (IP spoofing), the entry is released from the DHCP database (and 
from the ARP table if update arp was entered). To activate the ARP ping: 


CLI (configure)> ip dhep pool <pool-name> 
CLI (dhcp-config)> arp ping [<number>] 
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By default, the server sends 10 ARP requests with a timeout of 0.5 seconds. If no valid reply is retrieved 
after the timeout of the last requests, the binding is considered no more valid. To disable ARP ping: 


CLI (dhcp-config)> no arp ping 


To activate DHCP session accounting, you must first configure an AAA group made up of some RADIUS 
servers (only). The next aaa accounting command activates the accounting service <acc-service>. 
Then the accounting service is referred under the DHCP server pool. 


CLI (configure)> radius-server <ip-l1> <key> 

CLI (configure)> radius-server <ip-2> <key> 

CLI (configure)> aaa group server radius <radius-svr-group> 

CLI (config-sg-radius)> server <ip-1> 

CLI (config-sg-radius)> server <ip-2> 

CLI (config-sg-radius)> exit 

CLI (configure)> aaa accounting network <acc-service> 
start-stop group <radius-—svr-group> 

CLI (configure)> ip dhcp pool <pool-name> 

CLI (dhcp-config)> accounting <acc-service> 


To deactivate DHCP accounting: 


CLI (configure)> no aaa accounting network <acc-service> 
start-stop group <radius-—svr-group> 

CLI (configure)> ip dhcp pool <pool-name> 

CLI (dhcp-config)> no accounting 


10.2.2.24 Clearing Automatic Binding Address 


To delete an automatic address binding from the server database, use the following command (use * to 
clear all automatic bindings: 


CLI> clear ip dhep [vrf <vrf-name>] binding { <ip-address> | * } 


10.2.2.25 Disabling the DHCP server service 


To globally disable the DHCP server service, to set all DHCP-related parameters to their default values, 
and to remove all DHCP commands from the running configuration, use the following command: 


CLI (configure)> no ip dhcp-server 


10.2.3 Configuring DHCP Relay Addresses 


In the following vrf£-name Is optional. If not provided the default VRF is used. 


If the DHCP Server works together with a DHCP relay, the IP address of the relay is to be specified using 
the following command in global configuration mode: 


CLI (configure)> ip dhep [vrf <vrf-name>] relay dhcp-relay <ip-address> 
<netmask> 


To disable the interaction with a DHCP relay, use the no form of the above-referenced command: 


CLI (configure)> no ip dhep [vrf <vrf-name>] relay dhcp-relay 


The smart relay function enables to use the secondary addresses in the giaddr field when the server 
does not respond with a DHCPOFFER packet. To activate this feature, use: 


CLI (configure)> [no] ip dhep [vrf <vrf-name>] relay smart-relay 
10.2.3.1 Configuring DHCP Relay 


If the router works as a DHCP relay, the IP address of DHCP server has to be specified using the following 
command in global configuration mode: 
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CLI (configure)> ip dhcp relay dhcp-server <ip-address> 


To disable DHCP Relay, use the no form of the above-referenced command: 

CLI (configure)> no ip dhcp relay dhcp-server 
The above configuration commands relay incoming DHCP requests from any interface to the server. In 
order to relay requests coming only from one interface, the following command must be preferred: 

CLI (configure)> interface <type> <unit> 


CLI(config-if)> [no] ip helper address <A.B.C.D> 


If an IP helper address is configured, DHCP relay (configured by the ip dhcp relay dhcp-server 
<ip> command) is automatically disabled. IP helper addresses are bound to IP interfaces and therefore 
inherit from interface VRF. IP helper addresses are therefore only valid on the VRF of the interface. 


To allow the DHCP relay to insert option 82 (disabled by default): 


CLI(configure)> [no] ip dhep [vrf <vrf-name>] relay information option 


To allow the DHCP relay to insert the option 82.6 (disabled by default): 


CLI(configure)> [no] ip dhep [vrf <vrf-name>] relay information option 
subscriber-id <string> 
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.3 


DHCP DEVICE ASSOCIATION 


Device association is a set of functions so that the OneOS DHCP server detects LAN devices by means of 
certain DHCP options and applies specific processing. The following functions are implemented: 


e TR-111 association: the DHCP option 125 (and associated sub-options) is used so that the LAN 
device and gateway exchange their identity. The gateway / LAN device identities are then used within 
the CWMP (TR-69) protocol. 


e Secure association: the DHCP option 43 is used. As specified by RFC 2132, the option 43 is a 
“vendor extension” that OneAccess uses to implement a proprietary protocol. This protocol is a 4-way 
handshake protocol such that an OneOS DHCP server securely identifies a remote OneAccess device 
and exchanges encrypted information. The secure association is notably used for the HTTP proxy. 
The HTTP proxy takes incoming HTTP requests and forwards them to the associated LAN device if 
needed. 


To show association statistics and to debug association, use the following commands: 


CLI> show association { cwmp | secured-—association } 
CLI> debug association { cwmp | secured-—association | proxy-—http } 
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10.4 DHCP CONFIGURATION EXAMPLES 


10.4.1 DHCP Client 


Suppose that the address of Ethernet interface in the following figure is obtained through DHCP. This can 
be done using the following configuration commands: 


interface ethernet 0/0 
ip address dhcp 
exit 


10.4.2 DHCP Server 


The following configuration example of the DHCP server will describe how to configure a DHCP address 
pool, a manual binding, and how to exclude IP addresses. 


In this example, the private network uses the private address space 192.168.2.0. The hosts need a DNS 
server and a default router to reach the public network - the Internet. 


A database agent is used to store the binding database. The file transport protocol is TFTP. The TFIP 
server IP address is 192.168.2.133, the database is named "database-binding" and the interval time 
between updates is 60 seconds. 


The primary DNS server address is 193.253.180.3, the secondary DNS server address is 193.253.180.4. 


The default router address is 192.168.2.20, which is the interface address of the router. 


+ 


192.168.2.4/24 
00:80:00:DE:4C:5F 
hostname: alice 


+ 
4 















































Private 
Network 
192.168.2.0 


The configuration is written using the following commands: 


ip dhcp database tftp://192.168.2.133/database-binding 60 
ip dhcp pool server_pool 

network 192.168.2.0 255.255.255.0 
dns-server 193.253.180.3 193.253.180.4 
default-router 192.168.2.20 

exit 

ip dhcp excluded-address 192.168.2.20 

ip dhcp pool alice 

host 192.168.2.4 

hardware-—address 00:80:00:DE:4C:5F ethernet 
client-name alice 
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exit 


10.4.3 DHCP Relay 


192.168.2.4/24 = 
00:80:00:DE:4C:5F 


hostname: alice DHCP Relay 



































192.178.10.0 

















Private 
Network 
192.168.2.0 


The script to use is as follows: 
ip dhcp relay dhcp-server 192.178.10.43 














DHCP Server 
192.178.10.43 


Note that at the DHCP relay, the DHCP server could be connected directly or indirectly through an 


interface other than Ethernet, such as ATM. 
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10.5 DHCP STATISTICS 


Use the following command to display DHCP Server, Client and Relay statistics: 


CLI> show ip dhep [vrf <vrf-name>] statistics 


Use the following command to reset DHCP Server and Relay statistics: 


CLI> clear ip dhcp [vrf <vrf-name>] statistics 


Use the following command to display the available resources: 


CLI> show ip dhcp [vrf <vrf-name>] server pool 


Use the following command to display DHCP binding database: 


CLI> show ip dhcp [vrf <vrf-name>] binding [<ip-address>] 


Use the following command to reset DHCP binding database: 


CLI> clear ip dhep [vrf <vrf-name>] binding { <ip-address> | * } 


Use the following command to display database agent information: 


CLI> show ip dhcp database 





10.6 DHCP DEBUG AND TRACE 


To enable debugging for the DHCP Server, Client and Relay, use the following command in global mode: 


CLI> debug ip dhcp 


To disable debugging for the DHCP Server, Client and Relay, use the ‘no' form of the above-referenced 
command. 
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11 DYNAMIC DNS CLIENT 


This section describes the main features of the Dynamic Domain Name Server and its configuration. 





11 


1 


DYNDNS FEATURES 


DynDNS is a set of protocols that enable to submit changes of public IP addresses to a provider of domain 
names. A DynDNS client tells the name provider that an IP address provided by an ISP changed for a 
given name. The name provider can update the DNS database. This feature is useful when a server/router 
must be reached via a fixed identifier: since its IP address is due to change quite often, the router/server is 
contacted using its FQDN managed via DynDNS (FQDN: Fully Qualified Domain Name, in the form of 
<name>.<domain>.<extension> — like foo.domain.com -). 


Examples: 
o Web server connected via a standard ISP connection 


o Router with IPsec tunnels: the IKE session establishment is done with the IKE peer by 
resolving the peer FQDN (N.B.: only possible when using the IKE aggressive mode) 


o Router with GRE or IP-IP tunnels 


OneOS sends an update to the DynDNS server when an interface with a public IP address goes UP. A 
public IP address is an IP address that is NOT in the following ranges: 


o §=6©.10.0.0.0 - 10.255.255.255 
o §=6172.16.0.0 - 172.381.255.255 
o §©192.168.0.0 - 192.168.255.255 


Typically, when using a PPP over ADSL connection, the service provider assigns a temporary public IP 
address to your router (class A or B addresses). This IP address will be advertised by OneOS. If the 
OneOS-based router does not have any public IP address, no DynDNS update is sent. 
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11.2 DYNDNS CONFIGURATION 


Note: as of V4.3R2E2 software release, DynDNS is not supported outside default VRF. 


To exchange information with the name provider, it is compulsory that the router be authenticated by a 
username/password. Use the following configuration command line to configure a username/password: 


CLI (configure)> ip dyndns username <username> [<password>] 


Use the no form of the above command, to remove authentication: 

CLI (configure)> no ip dyndns username 
Provider of domain names can host several domain names. Depending of the capability of the provider, it 
is possible to configure up to three different domain names. Use the following configuration command line: 


CLI (configure)> ip dyndns hosting <namel> [<name2> [<name3>]] 


Use the no form of the above command to remove hosting configuration: 
CLI (configure)> no ip dyndns hosting 
It is possible to enable access to several hosts other than router itself by using wildcard command. For 


example, ftp server can be accessible by using host name ftp.foo.com. Use the following configuration 
command line: 


CLI (configure)> ip dyndns wildcard { on | off } 


OneOS supports three DynDNS providers that are selected by using following command lines. 


To use dyndns.org DNS support, use the following command line. The optional parameter depends on 
kind of use: dynamic is intended for frequent IP address changes (standard cases with ISP), whereas 
static and custom modes correspond to more advanced DynDNS service subscription. 


CLI (configure)> ip dyndns dyndns [dynamic | static | custom] 


To use eurodns.org DNS support, use the following command line: 


CLI (configure)> ip dyndns eurodyndns [dynamic | static | custom] 


To use no-ip.com support, use the following command line: 


CLI (configure)> ip dyndns no-ip 


Use the following command, to remove the DynDNS provider reference: 
CLI (configure)> no ip dyndns service 
By default, OneOS sends an update to the DynDNS server when an interface with a public IP address 


goes UP (the last one that goes UP). Use the following command line to force the interface whose public 
IP address change will be advertised: 


CLI (configure)> ip dyndns interface <type> <unit> 


Use the no form of the above command to return to default behavior: 


CLI (configure)> no ip dyndns interface 
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11.3 DYNDNS STATISTICS 


To display statistics about DynDNS configuration, use the following command line: 


CLI> show ip dyndns 

DynDns service dyndns 

User oneaccess, password secret 

host used is oneaccess.dyndns.org 

updates 0, errors server 0, authentification 0, system 0 





11.4 DYNDNS DEBUG AND TRACE 


To enable DynDNS debugging, use the following command: 
CLI> debug ip dyndns 


CLI> no debug ip dyndns 
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12 DNS RELAY/PROXY 


This section describes the main features of the DNS Relay/Proxy and its configuration. 





12. 


1 


DNS FEATURES 


DNS (Domain Name Service) is widely used to resolve IP address from host name. The DNS relay/proxy 
module provides the following features: 


DNS Relay (only). This basic feature is meant to receive client's DNS queries and send them to a 
DNS server. Then, receive DNS replies from the DNS server and send them back to the clients. 


DNS proxy cache. The replies from a DNS server can be saved in a local cache such that they can be 
used later to directly reply to DNS queries if the requested resource matches. 


Cached entry aging. Cached DNS resources will be invalid after a time equal to the time-to-live value 
returned in server reply. 


Relaying both UDP and TCP DNS aqueries. 


Multiple DNS servers. This feature can provide failover upon the failure of a DNS server. 


Use of a DNS relay/proxy offers the following advantages: 


Easy configuration. To access the Internet in a Small Office and Home (SOHO) environment, the DNS 
server address is generally dynamically configured, for example, by PPP. Hosts on the inside network 
cannot be configured with DNS server address when the Internet connection is not ready. In this case, 
the access router can function as DNS relay. On the inside hosts, the DNS server address is set to the 
router's address. 


Performance improvement. On low bandwidth links, DNS queries can be sometimes a performance 
bottleneck. It often happens that a number of DNS queries try to resolve IP address from the same 
host name. This results in duplicated traffic over a congested link. DNS cache allows to save DNS 
replies and to process locally DNS queries. This will increase the performance of the Internet link. 


Fault tolerance. It happens that some DNS servers temporarily do not respond to DNS queries. With a 
DNS cache, the applications will continue to work. 


One of main disadvantages of using DNS proxy cache is that DNS based load balancing will no longer 
work. 
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12.2 DNS CONFIGURATION COMMANDS 


The configuration of DNS relay/proxy can be divided into the following steps: 
e Setting name server addresses - required. 

e Configuring cache size - optional. 

e Configuring source address to use while relaying DNS queries - optional. 
e Configuring the local router to use DNS relay/proxy - optional. 


e Configuring client addresses which are allowed to use DNS relay/proxy - optional. 
12.2.1 Setting Name Server Addresses 


To enable the DNS relay/proxy, the only thing required to do is to set one or more DNS server addresses. 
This can be done by using the following command in global configuration mode. At least one IP address 
(up to 3) must be specified. By default, the DNS relay/proxy is disabled. 


DNS servers must be defined on a per-VRF basis. OneOS may learn DNS servers (via DHCP, IPCP). The 
learnt DNS servers will be valid for the VRF corresponding to the interface from which the DNS servers 
were learnt (by default all the interfaces are in the default VRF). 


CLI (configure)> ip dns-proxy dns-server <address> [<address> [<address>]] 
[vr£f <vrf-name>] 
DNS server addresses can also be learned (see 12.2.5 below). 
To disable DNS relay/proxy, use the following command in global configuration mode: 
CLI (configure)> no ip dns-proxy dns-server [vrf <vrf-name>] 


After this command, the DNS relay/proxy will stop to function and all allocated resources (including cache 
memory) will be freed. 


12.2.2 Configuring Cache Size 


The DNS relay/proxy can save the responses returned by a DNS server in the memory cache. By default, 
DNS cache is enabled and the cache size is set to 32K bytes. To change the cache size used by the DNS 
relay/proxy, use the following command in global configuration mode: 


CLI (configure)> ip dns-proxy cache <bytes> [vrf <vrf-name>] 
The cache size is specified in units of bytes. The size of memory necessary for caching a host name and 
address binding varies with the length of domain name. For a simple estimation, it can be reasonably 
assumed that on the average, a host name and address binding requires about 100 bytes of memory. As a 


result, the default cache size allows storing about 320 name/address bindings. The lifetime of a cache 
entry is the TTL (Time-To-Live) value returned by the DNS server, typically in order of hours. 


To make the DNS relay/proxy function as a simple relay without cache, use the following command in 
global configuration mode: 


CLI (configure)> no ip dns-proxy cache [vrf <vrf-name>] 


To set the cache size to its default value, use the following command in global configuration mode: 


CLI (configure)> default ip dns-proxy cache [vrf <vrf-name>] 


12.2.3 Configuring the Source Address of Relay Agent 
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This address is used by the relay agent as the source address to relay DNS queries to DNS servers. To 
configure the source address to use, use the following command in global configuration mode: 


CLI (configure)> ip dns-proxy source-address <interface> [vwrf <vrf-name>] 


interface is the type and unit of the interface whose address will be taken. By default, the source 
address is not set. The address of the outgoing interface is used as the source address in relayed DNS 
query packets. 


To get back to the default behavior, use the following command: 


CLI (configure)> default ip dns-proxy source-address [vrf <vrf-name>] 
12.2.4 Configuring the Local Router to use DNS Relay/Proxy 


To enable the local router to use the same DNS relay/proxy, use the following command in global 
configuration mode: 


CLI (configure)> ip name-server 127.0.0.1 [vrf <vrf-name>] 


To configure the domain name to use, use the following command: 


CLI (configure)> ip domain-name <domain-name> [vrf <vrf-name>] 
12.2.5 Learning DNS Server 


In some application cases, the DNS server is known via DHCP and/or IPCP (on PPP based connections). 
OneOS holds up to 4 learnt DNS server addresses. If one DNS server does not answer, the next one is 
queried. The following command in global configuration mode forces the DNS proxy to use the dynamically 
learnt DNS servers. 


CLI (configure)> ip dns-proxy dns-server learn [vrf <vrf-name>] 


To define the priority among the learnt DNS servers, use the following command in global configuration 
mode: 


CLI(configure)> [no] ip dns-proxy dns-server learn priority { dhcp | ipcp 
| none } [vrf <vrf-name>] 


Another way (exclusive from the previous one) to define the priority among the learnt servers is to use the 
following command in global configuration mode. The priority is given by the order of the given interfaces. 


CLI (configure)> ip dns-proxy dns-server learn from <interfacel> 
[ <interface2> 
[ <interface3 
[ <interface4> J]] 
[vr£ <vrf-name>] 


When DNS resolution cannot happen because a DNS server is not yet learnt (for example the PPP 
connection to learn the DNS is not open because DNS resolution has not happened) a default DNS server 
address has to be provided such the DNS proxy can use this address as the default DNS server as long as 
it has not learnt a DNS server. 


CLI (configure)> ip dns-proxy dns-server learn default-server <ip-addr> 


[vr£ <vrf-name>] 


Note: the default server address can be not valid (e.g. 1.1.1.1). In that case it is used only to open the 
connection to learn the DNS. When the default server address in valid, the default server gets the lower 
priority. 


To stop learning the DNS server addresses, use the following command in global configuration mode: 


CLI (configure)> no ip dns-proxy dns-server learn [vrf <vrf-name>] 
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12.2.6 Configuring Client Addresses 
To limit the use of the DNS relay/proxy by one specific interface, use the following command in global 
configuration mode: 

CLI (configure)> ip dns-proxy proxy-address <interface> [vrf <vrf-name>] 
interface Is the type and unit of the interface allowed to use the DNS relay/proxy. By default, all the 
interfaces are allowed to use the DNS relay/proxy. 

To get back to the default behavior, use the following command: 

CLI (configure)> ip dns-proxy proxy-address any [vrf <vrf-name>] 

Another way to limit the use of the DNS relay/proxy is to exclude specific interfaces, using the following 


command in global configuration mode (given that by default all the interfaces are allowed to use the DNS 
relay/proxy): 


CLI (configure)> [no] ip dns-proxy exclude-address <interface> 


This command can be entered several times. 


Use the no form of the command to remove an excluded address. 





12.3 DNS STATISTICS 


To show the servers used by the DNS proxy: 


CLI> show ip dns-proxy server [vrf <vrf-name>] 


To display DNS relay/proxy statistics, use the following command: 
CLI> show ip dns-proxy statistics [vrf <vrf-name>] 
DNS: proxy ‘statistics: 
4 queries, 2 cached entries, O query failures 


O pending UDP queries, 0 pending TCP queries 


To clear the DNS relay/proxy statistics, use the following command: 


CLI> clear ip dns-proxy statistics [vrf <vrf-name>] 


To view the DNS proxy cache content, use: 


CLI> show ip dns-proxy cache [vrf <vrf-name>] 


To clear the cache content: 


CLI> clear ip dns-proxy cache [vrf <vrf-name>] 
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12.4 DNS CONFIGURATION EXAMPLE 


In this example, hosts on the inside network use the address space 192.168.2.0/24. They are configured 
to use the DNS server 192.168.2.1, which is the address of the access router (FastEthernet 0/0). Two DNS 
servers are provided by the service provider. 






















192.168.2.4/24 
DNS server 
192.168.2.1 





















192.168.2.1/24 

















Private Network 
192.168.2.0 


The configuration script is as follows: 


interface FastEthernet 0/0 
ip address 192.168.2.1 
exit 


ip dns-proxy dns-server 1.1.1.8 1.1.1.9 
ip dns-proxy cache 100000 


ip name-server 127.0.0.1 
ip domain-name isp.com 





12.5 DNS DEBUG AND TRACE 


To enable DNS relay/proxy debugging, use the following command: 


CLI> [no] debug ip dns-—proxy 


To disable DNS relay/proxy debugging, use the no form of the above command. 
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13 VIRTUAL ROUTER REDUNDANCY PROTOCOL 


This section describes the main features of the Virtual Router Redundancy Protocol (VRRP). 


VRRP is a technique that enables a group of routers to form a single virtual router. The LAN clients 
configure the virtual router as their default gateway. 


Dedicated VRRP multicast packets are emitted periodically by the master of the group, thereby proving 
that it owns the virtual address. The other routers of the group are said to be backup routers. If no more 
packets are emitted for any reason, one backup router will declare itself as master. 


The election of a new master router is transparent to LAN clients that keep on using the same virtual IP 
address. 


VRRP is available on FastEthernet, GigabitEthernet interfaces and VLANs of the OneOS-based routers. 





13.1 


13.1 


13.1 


VRRP FEATURES 


1 IPv4 VRRP 


The VRRP implementation is compliant with RFC 2338. The implementation supports one virtual MAC 
address per Ethernet interface. Virtual MAC address setting is optionally configurable: by default the MAC 
address toggles between the virtual address when the router is master, and the physical address when the 
router is backup. This address toggling can be disabled by configuration. In addition it is automatically 
disabled if more than one Virtual Router is configured on an interface. 


On OneAccess router switch interfaces, be aware of the following: a single MAC address is supported for 
all the physical and VLAN interfaces of the switch. So if a Virtual Router is configured on one of the 
interfaces of the switch, the virtual MAC address will apply also on all the other interfaces of the switch 
when the Virtual Router becomes master. 


An alternate MAC address behavior can be optionally enabled on the switch interface. By default this 
behavior is disabled. When enabled, each interface of the switch owns its own MAC address 
independently of the others, and the MAC addresses never toggle between virtual and physical ones, 
whatever the master/backup state of the Virtual Router(s): the master Virtual Routers are accessed via 
their virtual MAC addresses, and simultaneously the real router is accessed via the physical MAC 
addresses. 


ie IPv6 VRRP 


OneOS VRRP implementation for IPv6 is based on draft-ietf-vrrp-ipv6-spec-08.txt. For the time being, only 
interoperability between two OneAccess routers is guaranteed. As the draft document moves to RFC 
status, OneAccess will ensure its full support of VRRP specification for IPv6 and interoperability with third 
party. VRRP with IPv6 is configured in the same way as |Pv4. 
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13.2 VRRP CONFIGURATION COMMANDS 


Note: as of V5.1R3E1 software release, the existence of multiple VRF in router configuration is transparent 
to VRRP. 


A Virtual Router is configurable per interface and per virtual router identifier. It is not possible to configure 
the same virtual router identifier on several interfaces. 


To enter virtual router configuration mode and start running a VRRP daemon, use the following command 
in interface configuration mode: 


CLI (config-if)> vrrp <vrid> 
CLI(Contig-—1t-Vvirrp)> 


13.2.1 Virtual Router IPv4 Address 


To set the virtual router |Pv4 address to an interface, use the following command in VRRP configuration 
mode: 


CLI (config-if-vrrp)> [no] address <virtual-router-ip-address> [<mask>] 


The network mask Is optional. If not provided, the network mask of the relevant interface will be used. 


The main virtual address is the first that is set on the interface, while secondary addresses follow the 
configuration order. 


It is authorized, but not recommended, to use the same address as a real address and as a virtual 
address, thus occasioning duplicated addresses with two routers alive. The address part of the command 
must be provided the first time for virtual router configuration. Then, the CLI enters in VRRP configuration 
mode. 


To delete an IPv4 address, use the no form of the above command. 
13.2.2 Virtual Router IPv6 Address 


To set the virtual router |Pv6 address to an interface, use the following command in VRRP configuration 
mode: 


CLI (config-if-vrrp)> [no] ipv6 address prefix <X:X:X:X:X:X>/<0-128> 


Note that if no virtual mac~—address Is in force (see below), it is mandatory to set the virtual router 
link-local scope IPv6 address using: 


CLI (config-if-vrrp)> [no] ipv6 address <X:X:X::X> link-local 


To delete an IPv6 address, use the no form of the above commands. 
13.2.3 Virtual MAC Address 


By default, a single virtual MAC address is enabled on the interface. It is required to disable this MAC 
address if more than one VRRP is supported. The following command is automatically added by OneOS 
(and then displayed in the show running-config command): 


CLI (config-if-vrrp)> no virtual mac-address 


If the multi-MAC address option is configured (when supported by the interface — see "Multiple MAC 
Addresses on Switch Ports" chapter in "OneOS — Bridging and LAN User Guide" document), the above 
command is no more needed, not applied, and not displayed in the show running-—config command. 


13.2.4 Setting a Priority of a Router 


Basic IP User guide Page 13.2-132 of 150 


ONEOS V4.3R4 /V5.1R3 BASIc IP USER GUIDE (EDITION 10) 


To set priority to an interface and a virtual router identifier, use the following command in VRRP 
configuration mode: 


Cli, (Coniig-Li-virp)> prioraty <l=255> 
The higher the priority, the higher the router is able to be master within a virtual group. Setting to 255 will 
force the router to be master. 


To reset priority to the default priority (100), use the no form of the above command. 
13:..2:5 Preemption 


To prevent a router from being master because it has a higher priority than the other routers of the group, 
use the following command in VRRP configuration mode: 


CLI (config-if-vrrp)> no preempt 


However, if no messages are received on the configured interface, it will become master. 


To come back to default preemption mode, or change the default preemption timer, use the following 
command: 


CLI (config-if-vrrp)> preempt <1-3600> 
13.2.6 Advertisement Timer 


To configure the advertisement timer to an interface and a virtual router identifier, use the following 
command in VRRP configuration mode: 


CLI (config-if-vrrp)> timer advertise <1-3600> 


The timer must be given in seconds. 


To reset the advertisement timer to the default value (1 second), use the no form of the above command. 
13.2.7 Timer Learning 


To learn the advertisement timer of the current master of the virtual group, use the following command in 
VRRP configuration mode: 


CLI (config-if-vrrp)> timer learn 


Router will then change its advertisement timer to the same as the master one. 


To prevent from learning and to reset to the default behavior, use the no form of the above command. 
13.2.8 Authentication Password 


To enable simple text authentication within VRRP packets, use the following command in VRRP 
configuration mode: 


CLI (config-if-vrrp)> authentication <password> 


To disable authentication, and reset to the default behavior, use the no form of the above referenced 
command. 


13.2.9 Monitoring Interface 


The VRRP router can be monitored using a different interface from that where the VRRP router is defined. 
The following command defines the interface where messages for virtual router monitoring are exchanged, 
beginning in VRRP configuration mode: 


CLI (config-if-vrrp) > monitoring-interface 

ethernet <slot>/<port>[.<sub-if>] 
fastethernet <slot>/<port>[.<sub-if>] 
gigabitethernet <slot>/<port>[.<sub-if>] 
dotllradio <slot>/<port>[.<sub-if>] 


pain, 
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| efm <slot>/<port>[.<sub-if>] | serial <slot>.<port> 
| dialer <id> | 12tunnel <id> | tunnel <id> } 


13.2.10 Tracking Interface 


13.2. 


13.2. 


Usually, the VRRP routers communicate using LAN interfaces. If the WAN link fails, it makes then sense to 
swap router priorities so that the router with an operational WAN link becomes the active router. 


The following command defines the interface where status is monitored. When the interface becomes 
down, the VRRP router priority decreases by 20. If the interface is up again, the VRRP router recovers its 
default priority: 


CLI (config-if-vrrp)> tracking-interface 

ethernet <slot>/<port>[.<sub-if>] 

fastethernet <slot>/<port>[.<sub-if>] 

gigabitethernet <slot>/<port>[.<sub-if>] 

dotllradio <slot>/<port>[.<sub-if>] | loopback <id> 
atm <port>[.<sub-if>] | pstn <slot>/<port>[.<sub-if>] 
efm <slot>/<port>[.<sub-if>] | serial <slot>.<port> 
dialer <id> | 12tunnel <id> | tunnel <id> } 


a Spies, 


11 Tracking List 


Alternatively, instead of tracking an interface state, the router priorities can be swapped according to 
events monitored by a dialer watch-list. In this list you can define a combination of interfaces and/or routes 
whose status has to be monitored. When the watched item(s) is (are) down (loss of route(s) and/or 
interface(s) status down) the VRRP router priority decreases by 20, thus permitting the peer VRRP router 
to take precedence. When the watched condition is up again, the VRRP router recovers its configured 
priority. 


You can optionally define a delay before the down (respectively up) status of the watched list is confirmed 
and signaled. The default values of the up and down delay is 30 seconds. 


CLI (config-if-vrrp)> tracking-list <dialer watch-list name> [ <up-delay> 
[<down-delay>]] 


You configure a dialer-watch-list at the global configuration level by the following command (see "Backup 
using Route Monitoring (Dialer Watch-List)" section in "OneOS — WAN User Guide" document): 


CLI (configure) > dialer watch-list [logical-any | logical-all] <list-—name> 
12 Sending SNMP Traps 


Whenever a VRID has a state change (master/idle), a trap can be issued. To activate trap sending: 


CLI (configure)> [no] snmp traps vrrp 





13 


.3 


VRRP CONFIGURATION EXAMPLES 


This section includes two examples showing how to configure: 
o Abasic VRRP topology. 
o Load sharing with redundant VRRP topology. 


13.3.1 Basic VRRP Topology 


The following example shows a simple LAN topology in which VRRP is configured. In this example, 
Routers A and B are VRRP routers (routers running VRRP) that form a virtual router. The IP address of the 
virtual router is the same as that configured for the FastEthernet interface of Router A (10.0.0.1). 
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Virtual router group 1 
IP=10.0.0.1 





LAN clients, 
Default gateway: 
gw=10.0.0.1 















































The configuration script is as follows for router A: 


interface FastEthernet 0/0 
ip address 10.0.0.2 255.255.255.0 
vrrp 1 
address 10.0.0.1 255.255.255.0 
timers advertise 2 
priority 150 
exit 
exit 


The configuration script is as follows for router B: 


interface FastEthernet 0/0 

ip address 10.0.0.3 255.255.255.0 
vrrp 1 

address 10.0.0.1 255.255.255.0 
timers learn 

exit 
exit 


A is always master, except when unavailable. 
13.3.2 Load Sharing with Redundant VRRP Topology 


In this topology, two virtual routers are configured. 


For virtual router 1, Router A is the owner of IP address 10.0.1.2 and the master virtual router, Router B is 
the backup virtual router to Router A. Two clients are configured with the default gateway IP address of 
10.0.1.1. 


For virtual router 2, Router B is the owner of IP address 10.0.2.2 and master virtual router, and Router A is 
the backup virtual router to Router B. Two clients are configured with the default gateway IP address of 
10.0.2.1. 


Router C is linked to router A and B, via two ATM links. It is informed using the RIP routing protocol of 
which route is best to reach the two 10.1.2.0/24 and 10.1.1.0/24 sub-networks. 


When router A is master for virtual router 1 and B is master for virtual router 2, the two sub-networks are 
routed to the two respective ATM links. 


If router B fails, then router A is becoming master for virtual router 2, and adds as a secondary address 
10.1.2.1. Both redundant routers send RIP routes with the same metric to the gateway C. 


If router B has been reset, then the two routes 10.1.2.0 will be available for a certain time at gateway C. 
However, if router B is still available, and that virtual router 2 is backup (for example if a priority change 
occurred), all RIP routes to the backup interfaces are removed, thus informing gateway C of the sudden 
change in routing information. 
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The configuration script is as follows for router A: 


no virtual mac-address 
interface FastEthernet 0/0 
ip address 10.0.1.2 255.255.0.0 
vrrp 1 
address 10.0.1.1 255.255.255.0 
authentication groupl 
priority 150 
exit 
vrrp 2 
address 10.0.2.1 255.255.255.0 
authentication group2 
exit 
exit 


! here you configure pvc atm 

! optionally, rip helps inform fastethernet interface 
router rip 

network 10.0.0.0 

! atm interface 

network 52.0.0.0 

exit 


The configuration script is as follows for router B: 


no virtual mac-address 
interface FastEthernet 0/0 
ip address 10.0.2.2 255.255.0.0 
vrrp 1 
address 10.0.1.1 255.255.255.0 
authentication groupl 
exit 
vrrp 2 
address 10.0.2.1 255.255.255.0 
authentication group2 
priority 150 
exit 
exit 


! here you configure pvc atm 

! optionally, rip helps inform fastethernet interface 
router rip 

network 10.0.0.0 

! atm interface 

network 53.0.0.0 

exit 
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The configuration script would be as follows for C gateway: 


! here you configure pvc atm 
! optionally, rip helps inform fastethernet interface 


router rip 
network 52.0.0.0 
network 53.0.0.0 
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13.4 VRRP STATISTICS 


To display statistics about the existing virtual groups: 


CLI> show vrrp statistics 

Virtual Router Identifier 1 

IN: 3153 advertisements, O zero-priority advertisements 

O bad length, O bad vrid, 0 time-to-live errors, 0 bad type 
QO advertisement interval mismatch, 0 address mismatch 

0 bad authentication type, 0 authentication type mismatch 

QO authentication failures 

OUT: 3153 advertisements, O zero-priority advertisements 

1 times became master 


It is possible to clear VRRP statistics, using the following command: 


CLI> clear ip vrrp 


To display information about the existing virtual group: 


CLI> show vrrp vrid 1 

FastEthernet 0/0 —- Group 1 

State is master 

Virtual IP address 10.0.0.1, Netmask 255.255.255.0 (0) 
Virtual Mac address is 00:00:5e:00:01:01 
Advertisement interval is 2 sec 

Preemption is enabled, min delay is 15 sec 

Priority: 150 

Master Route is 10.0.0.1 (local), priority is 150 


To display information about the existing VRRP configuration on any interface, use the following 


command: 


CLI> show vrrp interface fastethernet 0/0 
FastEthernet 0/0 - Group 1 

State is master 

Virtual Mac address is 00:00:5e:00:01:01 

Virtual IP address 10.0.0.1, Netmask 255.255.255.0 (0) 
Advertisement interval is 1 sec 

Preemption is enabled 

Priory 50 

Master router is 10.0.0.1 (local), priority is 150 
FastEthernet 0/0 —- Group 2 

State is backup 

Virtual IP address 10.0.0.2, Netmask 255.255.255.0 (1) 
Virtual Mac address is 00:00:5e:00:01:02 
Advertisement interval is 1 sec 

Preemption is enabled 

Priority 100 





13.5 VRRP DEBUG AND TRACE 


To enable IP interface debugging, use the following command: 


CLI> debug ip vrrp 


To disable IP interface debugging, use the no form of the above command. 
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14 1CMP ROUTER DISCOVERY PROTOCOL (IRDP) 





14.1 INTRODUCTION TO IRDP 


This section describes the main features of the ICMP router Discovery Protocol (IRDP). 


IRDP is a technique that enables a group of hosts to discover the router that serves as their default 
gateway. When a gateway fails, the LAN clients are able to discover a new gateway. 


Dedicated IRDP advertisement messages are emitted periodically by routers with advertising interface 
enabled, thus telling hosts on the local sub-network that the router is a valid gateway for a defined duration 
of time. 


Rather than waiting for advertisement messages, LAN clients can send solicitation messages. IRDP 
solicitation messages are immediately processed and permit remote hosts to update their routing 
information faster than with a standard routing protocol IRDP is available for all interfaces supporting 
broadcast and/or multicast. 


The IRDP implementation is compliant with RFC 1256. 
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14.2 IRDP CONFIGURATION COMMANDS 


IRDP is configurable in interface configuration mode. 


Note: as of V4.38R2E2 software release, IRDP is only supported on the default VRF. 
14.2.1 Enabling IRDP 


To enable IRDP on an interface and listening to IRDP messages, use the following command in interface 
configuration mode: 


CLI(config-if)> ip irdp enable 


IRDP advertisements are sent periodically, according to IRDP timer configuration. 
14.2.2 Configuring Hold Time 


The IRDP hold time is the number of seconds that the router address can be considered valid. To 
configure hold time, use the following command in interface configuration mode: 


CLI (config-if)> ip irdp holdtime <0-9000> 


To reset hold time to its default value, use the following command in interface configuration mode: 


CLI (config-if)> no ip irdp holdtime 


Default value is 1800 seconds. 

14.2.3 Configuring Advertisement Interval 
To configure the interval between emitted advertisements messages, the RFC recommends randomizing 
emission, thereby reducing the probability of synchronization with the advertisements from other routers. 


Advertisement interval is chosen between the two below intervals, and is expressed in seconds. 


CLI (config-if)> ip irdp minadvertinterval <3-1800> 
CLI (config-if)> ip irdp maxadvertinterval <4-1800> 


However, it is possible to strictly configuring a period, by using the same _ interval for 
minadvertinterval and maxadvertinterval. 


The default minadvertinterval and maxadvertinterval values are respectively 450 and 600 
seconds. To reset to default value, use the following commands in interface configuration mode: 


CLI (config-if)> no ip irdp minadvertinterval 


CLI (config-if)> no ip irdp maxadvertinterval 
14.2.4 Configuring Preference 


It is possible to associate the sending router's IP addresses on the interface from which this message Is 
sent, with a preference level. The higher the preference level, the more preferable the addresses are 
elected by the hosts. 


To configure preference, use the following command in interface configuration mode: 


CLI (config-if)> ip irdp preference <-2147483648 ... 2147483647> 


To reset preference to default value (0), use the following command in interface configuration mode: 
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CLI (config-if)> no ip irdp preference 
14.2.5 Broadcast/Multicast Emission 


It is possible to force advertisement message encapsulation within broadcast packets. Use the following 
command in interface configuration mode to: 


CLI (config-if)> no ip irdp multicast 


To reset emission to multicast, use the following command in interface configuration mode: 


CLI (config-if)> ip irdp multicast 





14.3 IRDP CONFIGURATION EXAMPLES 


The following example shows a simple LAN topology in which IRDP is configured. In this example, Routers 
A and B send advertisements messages and present their own interface addresses. 





LAN clients, 
Default gateway: 
gw=10.0.0.2 















































The configuration script is as follows for router A: 


interface FastEthernet 0/0 
ip address 10.0.0.2 255.255.255.0 
ip irdp minadvertinterval 30 
ip irdp maxadvertinterval 60 
ip irdp holdtime 45 
ip irdp preference 10 
ip irdp enable 
exit 


The configuration script is as follows for router B: 


interface FastEthernet 0/0 
ip address 10.0.0.3 255.255.255.0 
ip irdp minadvertinterval 30 
ip irdp maxadvertinterval 60 
ip irdp holdtime 45 
ip irdp enable 
exit 


While A is present, A is always accepted by LAN clients, as A’s preference is bigger than B’s. However if A 
is not present, then, LAN clients choose B as new gateway. 
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14.4 IRDP STATISTICS 


To display statistics about the existing IRDP interfaces: 


CLI> show ip irdp 
FastEthernet 0/0: router discovery enabled 

advertisements multicast sent between 30 and 60 sec. 
validity 45 sec. no preference configured 

IN: solicitations 3 (bad 0) 

OUT: advertisements 10 (answers 3, broadcast 0, multicast 7) 


It is possible to clear IRDP statistics, using the following command: 


CLI> clear icmp counters 





14.5 IRDP DEBUG AND TRACE 


To enable IRDP debugging, use the following command: 


CLI> debug ip irdp 


To disable IRDP debugging, use the no form of the above command. 
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15 


IP SERVER LOAD BALANCING (SLB) 


The purpose of Server Load Balancing is to distribute the load over several servers when processing a 
large number of client requests. 


The benefits of Server Load Balancing (SLB) are the following: 


- Higher performance and scalability: as the load is shared among multiple servers, a high number of 
requests can be processed. The system is scalable; a new server can be installed to manage increased 
performance requirements (instead of replacing the server by a larger machine, thus requiring longer 
service outage and more investment). 


- Higher service availability: if a server is not operational, client requests are forwarded to other operational 
servers. Therefore, the service remains available provided that the required load does not exceed the 
capacity of remaining servers. 


Typical Architecture of SLB: 

It is made up of: 
o Aserver farm, which gathers several (real/physical) servers (server 1, 2, 3...). 
o A virtual server which will represent the server farm to the outside world. 


o The Load Balancer (SLB Router), which implements the virtual server and distributes the 
connections to the servers’ member of the server farm. 


Server 1 Server 2 Server 3 
20.1.1.44 20.1.1.23 20.1.1.103 


ao oO 
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192.168.2.11 192.168.2.X 









































When the SLB router receives a client request, OneOS-based router uses a scheduling algorithm to decide 
which server the client shall establish a dialog with. The router memorizes the session parameters for that 
client allowing packets to and from that client to always follow the same path. This guarantees that the 
client always dialogs with the same physical server. 
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15. 


1 


SLB FEATURES 


15.1.1 Scheduling Algorithms 


15. 


15. 


15. 


15. 


15. 


15. 


15. 


The OneOS SLB provides the following scheduling algorithms: 


- Weighted round robin: each server has an associated weight n; new connections are assigned to the 
server n times before choosing the next server in the farm. 


- Weighted least connections: each server has an associated weight n. Using this weight, the relative 
capacity of this server is calculated as n/(n1 + n2 + n3 +...). A new connection is assigned to the server 
with the fewest active connections relative to its capacity. 


.2 Automatic Server Failure Detection 


SLB automatically detects failed TCP connections to a physical server and counts them. If a failure 
threshold is exceeded then the server is declared out of service and is removed temporarily from the list of 
active servers. 


.3 Automatic Un-fail 


After a failed server is removed from the list of active servers, no connections are allocated to that server. 
After a configurable retry period, if the server is successfully tested, then the server is added back to the 
list of active servers. Otherwise, the server will wait for another retry period. 


4 Client-Assigned Load Balancing 


For a virtual server it is possible to restrict access by specifying a list of allowed clients. This can be used 
to redirect the requests of a set of clients to a virtual server, and the requests of other clients to another 
virtual server. 


5 Delayed Removal of TCP Connection Context 


Because SLB uses NAT, it benefits from this feature: the removal of sessions can be delayed even though 
the SYN_CLOSE message was intercepted. 


.6 Maximum Connections - Maximum Clients 


The maximum number of simultaneous connections or clients per physical servers can be configured. If 
this number is reached for a specific server and if another server is not available, then the incoming 
connections will be dropped. This configuration parameter limits the impact of some malicious attacks. 


7 Server NAT 


The implementation of SLB uses a specific NAT mechanism called "server NAT". The destination address 
of the incoming packets is rewritten with the address of a physical server. This imposes some restrictions 
on network topology: all packets coming from the physical servers must transit through the SLB router as 
wells as those addressed to the SLB clients. 


.8 Server Port Translation and Port-Bound Servers 


A virtual server can be configured to handle the requests only for a specific TCP or UDP port. In this case 
the physical servers will also listen to a configured port and the destination port from the incoming packets 
will be translated to the real server port (the destination address will be translated to the physical server 
address - see Server NAT). The difference with classical SLB is the fact that load-balancing is done for 
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specific application ports. Packets that are addressed to different ports of the virtual server are not 
redirected. 


OneOS SLB supports both port-bound and non-port-bound servers. 
15.1.9 Sticky Connections 


Sometimes, a client transaction can require multiple consecutive connections, which means new 
connections from the same client IP address or subnet must be assigned to the same real server. 
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15.2 SLB CONFIGURATION 


LOe2. 


The configuration is done in 2 steps: 
1. A server farm must be configured. 
2. Avvirtual server must be configured. 
The virtual server address must be configured either as a loopback address or as a secondary IP address. 


Note: as of V4.3R2E2 software release, SLB is not supported outside default VRF. 
1 Server Farm Configuration 
CLI (configure)> ip slb serverfarm <farm-—name> 
Creates a server farm, then, the scheduling algorithm can be selected. By default, the weighted round 


robin algorithm is used. If the 'weighted least connections’ is used instead, the following command must be 
entered: 


CLI(slb-serverfarm) > predictor leastconns 


To return to default value, enter 'no predictor’. A server farm is composed of several real servers. 


15.2.2 Real/Physical Server Configuration 


The following commands add a real server to the server farm and authorize the SLB router to distribute 
load to that server: 


CLI (slb-serverfarm)> real <ip-address> [<port>] 
CLI (slb-real-serv)> inservice 


Additionally to the address of the server, a server port can be optionally configured. All connections to the 
real server will be redirected to the specified server. This works in tandem with port-bound virtual servers. 
To delete a real server, use "no real <address> [<port>]" 


Several parameters can be configured in this configuration mode: 


weight <1-255> - Relative weight in the server farm. The bigger the weight, the more connections will 
be allocated to the real server. Default: 8 


maxclients <0-2000> - Maximum number of clients the real server will manage simultaneously. If 
additional clients try to connect, the connections fail. The clients are actually the different IP addresses 
connected to the SLB router. Please note that the client management functions only when the virtual 
server associated with this real server, is configured to have sticky connections. If the sticky option is off, 
the clients are not counted. Default: 2000 


maxconns <0-2000> - Maximum number of simultaneous connections; additional connections will be 
refused. Default: 65,535 (in other words, almost unlimited) 


faildetect numconns <1-255> - When the number of consecutive failed connections has reached 
this value, the server is declared SERVER DOWN and no further connections will be redirected for the 
retry period. Default: 8 


faildetect numclients <1-8> - Similar to the above command, this represents the number of 
consecutive failed connections coming from different clients. Default: 2 


retry <1-3600> - The retry period in seconds. After a server is declared SERVER DOWN, clients 
request are no longer sent to that server. After "retry" seconds, the server is tested and if successful, it is 
declared OPERATIONAL again. Otherwise the server remains SERVER_DOWN for another "retry" period. 
Default: 60 


inservice - Enables the server. The no inservice command disables the server. 
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"no weight", "no maxclients", "no faildetect numconns" etc., will set the default values for 
the respective parameters. 


15.2.3 Virtual Server Configuration 


A simple TCP configuration: 


CLI (configuration)> ip slb vserver vserverl1 


( 
CLI(slb-vserver)> virtual 192.168.2.191 tcp 
CLI(slb-vserver)> serverfarm farml 
CLI(slb-vserver)> inservice 
ChLI(slb-vserver)> exit 


For a virtual server, the following parameters must be configured: 
A virtual address and protocol (optionally a port): 
CLI (slb-vserver)> virtual <address> <tcp | udp> [<port>] 
The incoming connections with the protocol, port and IP address of the virtual server will be redirected 
using the SLB algorithm. 
A server farm name must be provided as follows: 
CLI (slb-vserver)> serverfarm <name> 


The virtual server will use the actual servers declared in the specified server farm. The server farm must 
be previously declared. 


Optionally, the following parameters can be configured: 


sticky <0-65535> - All connections coming for the same IP address will be redirected to the same real 
server if this option is configured. The parameter sets the period in seconds during which the (client-real 
server) mapping will be active after the connection closing. A value bigger than 0 means that the mapping 
will be active for the specified period even if there are no more active connections. When a new connection 
is requested, it will be redirected to the same real server. To disable sticky connections, use 'no sticky’. 
The default behavior is 'no sticky’. 


clients <ip address> <net mask> - only the specified clients are allowed to connect to SLB, the 
other connections will be dropped. 


idle <0-65535> - (for TCP connections only) Period of time (in seconds) during which the connection is 
considered operational when there is no traffic. Default value: 3600. 


delay <0-655535> - (for TCP connections only) Period of time (in seconds) during which the connection 
is considered active even after SYN_CLOSE is received; this enables delayed packets to be correctly 
redirected. Default value: 60. 


inservice - will enable the virtual server. The virtual server is out of service until this command is 
explicitly entered. To stop a virtual server, use the no inservice command. 


To delete a virtual server, use the no ip slb vserver <name> command. 
15.2.4 Port Bound Servers 


A server can be configured to accept traffic only on a port. 
To configure this service, use the complete form of the virtual command: 


CLI (slb-vserver)> virtual <address> <tcp | udp> <port> 


This command can be used in tandem with real server port redirection. 
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15.3 SLB STATISTICS 


To show the general statistics, use the following command: 
CLI> show ip slb stats 


To show the list of active connections, which can be filtered by virtual server or client, use the command: 


CLI> show ip slb conns [client <ipaddress> | vserver <name>] 


To display information about a server farm, use the following command: 


CLI> show ip slb serverfarm <name> 


To display information about real servers, use the following command: 


CLI> show ip slb reals [vserver <name>] 


To display information about virtual servers, use the following command: 


CLI> show ip slb vserver [name <name>] 


To display information about sticky connections, use the following command: 


CLI> show ip slb sticky [client <ipaddress> | vserver <name>] 





15.4 SLB CLEAR COMMANDS 


To clear all the active SLB connections, use the following command; optionally it can clear only the 
connections for a specific virtual server. 


CLI> clear ip slb conns [vserver <name>] 


To clear all the active sessions, use the following command. The session table is active only in case of 
virtual servers with the sticky option enabled. Each session represents a single client (IP address). This 
command will also clear the connections for the specified virtual server. 


CLI> clear ip slb sessions [vserver <name>] 


To reset the general counters of SLB, use the following command: 


CLI> clear ip slb counters 
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15.5 SLB CONFIGURATION EXAMPLE 


A basic configuration: two server farms, one with 3 real servers and one with 2. 


ip slb serverfarm PUBLIC 
predictor leastconns 
real 10.1.1.1 

faildetect numconns 4 
retry 30 

inservice 

exit 


real 10.1.1.2 
faildetect numconns 4 
retry 30 

inservice 

exit 


real 10.1.1.3 
faildetect numconns 4 
retry 30 

inservice 

exit 


exit 


ip slb serverfarm RECTRICTED 
real 20.1.1.1 

faildetect numconns 6 

retry 60 

inservice 

exit 


real 20.1.1.2 
faildetect numconns 6 
retry 60 

inservice 

exit 

exit 


ip slb vserver PUBLIC_HTTP 
serverfarm PUBLIC 

virtual 100.0.0.1 tcp 80 
idle 120 

delay 5 

inservice 

exit 


ip slb vserver RESTRICTED_HTTP 
serverfarm PUBLIC 

virtual 100.0.0.1 tcp 80 

idle 120 

delay 5 

clients 200.1.1.0 255.255.255.0 
sticky 60 

inservice 

exit 


In this example, the first virtual server (Public HTTP) is accessible to everyone and the second (Restricted 
HTTP) is only accessible by clients specified in the 200.1.1.0/24 address range. 
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The other types of TCP or UDP connections are not managed by the SLB service but by the normal 
services of the router. The remaining traffic being not managed by the SLB service, packets are processed 
through NAT, ACL ...and so on. By default NAT is "bypass-all". If we don't want packets to pass through 
the router, we can configure an access-list that will deny all other incoming connections, so only the SLB 
connections will be accepted; this is achieved as follows: 


ip access-list standard denyall 
deny all 
exit 


interface ethernet 0/0 


ip access-group denyall in 
exit 
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